NVD CVE Vulnerability Search

What does NVD CVE Vulnerability Search do?

NVD CVE Vulnerability Search queries the NIST National Vulnerability Database (NVD) REST API v2.0 to retrieve detailed information about Common Vulnerabilities and Exposures (CVEs). The NVD is the U.S. government's authoritative repository of vulnerability data, containing over 200,000 cataloged CVEs.

The actor searches by keyword, specific CVE ID, CPE product name, CVSS v3 severity level, and publication date range. Each CVE record is enriched with CVSS v3.1 scoring data (with automatic fallback to CVSS v2), attack vector analysis, exploitability and impact scores, CWE weakness classifications, and up to 10 reference links. All data is returned as clean, structured JSON ready for security analysis, compliance dashboards, or DevSecOps pipeline integration.

Why use NVD CVE Vulnerability Search on Apify?

• No infrastructure to manage -- The actor runs in the cloud. You do not need to set up servers, manage rate limits, or implement pagination logic.
• Automatic 120-day window splitting -- The NVD API restricts date ranges to 120 days per request. The actor automatically splits longer ranges into compliant windows and merges the results seamlessly.
• Built-in rate limiting -- Respects the NVD API's strict quota (5 requests per 30 seconds for unauthenticated users) with 6.5-second delays between requests.
• Scheduled monitoring -- Run daily or weekly to automatically check for new CVEs matching your criteria, with webhook alerts to Slack, email, or any endpoint.
• No API key required -- The NVD API is free and does not require authentication for basic usage.

Key features

• Keyword search across all CVE descriptions with optional exact-phrase matching
• Direct CVE ID lookup for retrieving a specific vulnerability record (e.g., CVE-2021-44228)
• CPE product filtering to find vulnerabilities affecting a specific software product or vendor
• CVSS v3 severity filtering by Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), or Low (0.1-3.9)
• Date range filtering with automatic 120-day window splitting for NVD API compliance
• Full CVSS v3.1 metrics including attack vector, attack complexity, privileges required, user interaction, exploitability score, and impact score
• CWE weakness classification extracted and deduplicated from NVD weakness data
• Automatic pagination to retrieve up to 10,000 results across multiple API pages
• Reference links with up to 10 advisory and patch URLs per CVE

How to use NVD CVE Vulnerability Search

1. Navigate to the NVD CVE Vulnerability Search on the Apify Store.
2. Click Try for free to open the actor in Apify Console.
3. Enter a keyword like log4j or remote code execution, or enter a specific CVE ID.
4. Optionally set a CVSS v3 severity filter and/or date range.
5. Click Start and wait for the run to complete.
6. Download your results from the Dataset tab in JSON, CSV, or Excel format.

Input parameters

Parameter	Type	Required	Default	Description
keywordSearch	string	No	--	Search CVE descriptions for keywords (e.g., "log4j", "SQL injection", "buffer overflow")
cveId	string	No	--	Look up a specific CVE by ID (e.g., "CVE-2021-44228"). Overrides keyword search when provided
cpeName	string	No	--	Filter by CPE product (e.g., "cpe:2.3:a:apache:log4j"). Use partial match
cvssV3Severity	select	No	--	CVSS v3 severity: CRITICAL, HIGH, MEDIUM, or LOW
pubStartDate	string	No	--	CVEs published after this date (YYYY-MM-DD)
pubEndDate	string	No	--	CVEs published before this date (YYYY-MM-DD). Defaults to today
keywordExactMatch	boolean	No	false	When enabled, keyword must match as exact phrase rather than any individual word
maxResults	integer	No	100	Maximum number of CVEs to return (1--10,000)

At least one search filter (keyword, CVE ID, CPE name, severity, or date range) must be provided.

Input examples

Critical remote code execution vulnerabilities in 2024:

{
    "keywordSearch": "remote code execution",
    "cvssV3Severity": "CRITICAL",
    "pubStartDate": "2024-01-01",
    "pubEndDate": "2024-12-31",
    "keywordExactMatch": true,
    "maxResults": 500
}

Look up Log4Shell (CVE-2021-44228):

{
    "cveId": "CVE-2021-44228"
}

All CVEs for Apache HTTP Server:

{
    "cpeName": "cpe:2.3:a:apache:http_server",
    "maxResults": 1000
}

High and critical severity CVEs from last 30 days:

{
    "cvssV3Severity": "HIGH",
    "pubStartDate": "2025-01-18",
    "maxResults": 200
}

Input tips

• Use exact match for multi-word phrases like "SQL injection" to avoid matching CVEs that contain "SQL" and "injection" in separate contexts.
• CVE ID lookup is the fastest query type -- it returns a single record without pagination or rate limit delays.
• CPE names follow the format cpe:2.3:a:vendor:product. Find CPE names on the NVD CPE Dictionary.
• Date ranges longer than 120 days are automatically split into multiple API windows and merged.
• Start with smaller maxResults (50-100) to verify your filters before running larger extractions.
• Schedule daily runs with pubStartDate set to yesterday's date to capture newly published CVEs.

Output example

{
    "cveId": "CVE-2021-44228",
    "description": "Apache Log4j2 2.0-beta9 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.",
    "published": "2021-12-10",
    "lastModified": "2023-11-07",
    "status": "Analyzed",
    "cvssScore": 10,
    "severity": "CRITICAL",
    "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
    "attackVector": "NETWORK",
    "attackComplexity": "LOW",
    "privilegesRequired": "NONE",
    "userInteraction": "NONE",
    "exploitabilityScore": 3.89,
    "impactScore": 6.0,
    "weaknesses": ["CWE-917", "CWE-20", "CWE-400", "CWE-502"],
    "references": [
        "https://logging.apache.org/log4j/2.x/security.html",
        "https://www.oracle.com/security-alerts/cpujan2022.html"
    ],
    "sourceIdentifier": "security@apache.org",
    "extractedAt": "2025-01-15T12:30:45.123Z"
}

Output fields

Field	Type	Description
cveId	string	CVE identifier (e.g., "CVE-2021-44228")
description	string	English-language description of the vulnerability
published	string	Date the CVE was published (YYYY-MM-DD)
lastModified	string	Date the CVE was last modified (YYYY-MM-DD)
status	string	NVD analysis status: Analyzed, Modified, Awaiting Analysis, etc.
cvssScore	number|null	CVSS base score (0.0-10.0). Prefers v3.1, falls back to v2
severity	string	Severity label: CRITICAL, HIGH, MEDIUM, LOW, or empty
cvssVector	string	CVSS vector string (e.g., "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H")
attackVector	string	How the vulnerability is exploited: NETWORK, ADJACENT_NETWORK, LOCAL, PHYSICAL
attackComplexity	string	Difficulty of exploitation: LOW or HIGH
privilegesRequired	string	Privileges needed: NONE, LOW, HIGH
userInteraction	string	Whether user action is needed: NONE or REQUIRED
exploitabilityScore	number|null	CVSS exploitability sub-score (0.0-3.89)
impactScore	number|null	CVSS impact sub-score (0.0-6.0)
weaknesses	string[]	CWE identifiers (e.g., ["CWE-79", "CWE-89"]). Deduplicated, excludes NVD placeholders
references	string[]	Up to 10 advisory and patch URLs
sourceIdentifier	string	Organization that reported the CVE (e.g., "security@apache.org")
extractedAt	string	ISO 8601 timestamp of extraction

CVSS severity levels

Severity	Score Range	Description
CRITICAL	9.0 -- 10.0	Easy to exploit with severe impact, often remotely exploitable without authentication
HIGH	7.0 -- 8.9	Significant risk, may require some conditions to exploit
MEDIUM	4.0 -- 6.9	Moderate risk, typically requires specific conditions or user interaction
LOW	0.1 -- 3.9	Limited impact, difficult to exploit or requires physical access

CVSS score selection logic

The actor selects CVSS scores using this priority:

1. CVSS v3.1 with type: "Primary" (official NVD assessment)
2. First CVSS v3.1 entry (if no primary exists)
3. CVSS v2 with type: "Primary" (fallback for older CVEs)
4. First CVSS v2 entry (last resort)

Use cases

• Vulnerability monitoring -- Schedule daily runs to detect new CVEs affecting your software stack. Combine keyword and CPE filters with date ranges for targeted alerting.
• Security auditing -- Extract all known vulnerabilities for specific products (Apache, Microsoft, Cisco) during security assessments.
• Compliance reporting -- Generate structured CVE datasets for SOC 2, ISO 27001, PCI DSS, and FedRAMP compliance documentation.
• Patch prioritization -- Filter by CRITICAL and HIGH severity to identify vulnerabilities requiring immediate patching.
• Threat intelligence -- Analyze vulnerability trends by severity, attack vector, and CWE weakness type across time periods.
• DevSecOps pipelines -- Integrate into CI/CD workflows to automatically check for CVEs in project dependencies.

Programmatic access (API)

Python:

from apify_client import ApifyClient

client = ApifyClient("YOUR_API_TOKEN")

run = client.actor("ryanclinton/nvd-cve-vulnerability-search").call(run_input={
    "keywordSearch": "remote code execution",
    "cvssV3Severity": "CRITICAL",
    "pubStartDate": "2024-01-01",
    "maxResults": 50,
})

for item in client.dataset(run["defaultDatasetId"]).iterate_items():
    print(f"[{item['severity']}] {item['cveId']} (CVSS {item['cvssScore']})")
    print(f"  {item['description'][:100]}...")
    print(f"  Weaknesses: {', '.join(item['weaknesses'])}")

JavaScript:

import { ApifyClient } from "apify-client";

const client = new ApifyClient({ token: "YOUR_API_TOKEN" });

const run = await client.actor("ryanclinton/nvd-cve-vulnerability-search").call({
    keywordSearch: "remote code execution",
    cvssV3Severity: "CRITICAL",
    pubStartDate: "2024-01-01",
    maxResults: 50,
});

const { items } = await client.dataset(run.defaultDatasetId).listItems();
for (const item of items) {
    console.log(`[${item.severity}] ${item.cveId} (CVSS ${item.cvssScore})`);
    console.log(`  Attack: ${item.attackVector} | Complexity: ${item.attackComplexity}`);
}

cURL:

# Start a run
curl "https://api.apify.com/v2/acts/ryanclinton~nvd-cve-vulnerability-search/runs" \
    -X POST \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer YOUR_API_TOKEN" \
    -d '{
        "keywordSearch": "remote code execution",
        "cvssV3Severity": "CRITICAL",
        "pubStartDate": "2024-01-01",
        "maxResults": 50
    }'

# Fetch results (after run completes)
curl "https://api.apify.com/v2/datasets/DATASET_ID/items?format=json" \
    -H "Authorization: Bearer YOUR_API_TOKEN"

How it works -- technical details

Input (keyword, cveId, cpeName, severity, dates, exactMatch)
  │
  ▼
┌─────────────────────────────────────────────┐
│  1. Input Validation                        │
│  • At least one filter required             │
│  • cveId overrides keyword & date filters   │
└──────────────────┬──────────────────────────┘
                   │
                   ▼
┌─────────────────────────────────────────────┐
│  2. Date Window Builder (if dates present)  │
│  • Split range into 119-day windows         │
│  • NVD API max is 120 days per request      │
│  • Each window: startT00:00:00.000 to       │
│    endT23:59:59.999                         │
│  • Windows are non-overlapping              │
└──────────────────┬──────────────────────────┘
                   │
                   ▼
┌─────────────────────────────────────────────┐
│  3. URL Builder                             │
│  • keywordSearch → keywordSearch param      │
│  • keywordExactMatch → empty flag param     │
│  • cpeName → cpeName param                  │
│  • cvssV3Severity → cvssV3Severity param    │
│  • Window dates → pubStartDate/pubEndDate   │
│  • resultsPerPage=100, startIndex=N         │
└──────────────────┬──────────────────────────┘
                   │
                   ▼
┌─────────────────────────────────────────────┐
│  4. Paginated Fetcher                       │
│  • GET services.nvd.nist.gov/rest/json/     │
│    cves/2.0                                 │
│  • 100 results per page (API max)           │
│  • 6.5 sec delay between requests           │
│  • Per-window pagination for date queries   │
│  • No-date queries: single pagination loop  │
│  • Stop at maxResults or exhaustion         │
└──────────────────┬──────────────────────────┘
                   │
                   ▼
┌─────────────────────────────────────────────┐
│  5. Transform                               │
│  • English description only (lang='en')     │
│  • CVSS: v3.1 Primary → v3.1[0] → v2       │
│  • Weaknesses: deduplicated, excludes       │
│    NVD-CWE-Other and NVD-CWE-noinfo        │
│  • References: first 10 URLs               │
│  • Dates: ISO substring to YYYY-MM-DD      │
└──────────────────┬──────────────────────────┘
                   │
                   ▼
┌─────────────────────────────────────────────┐
│  6. Output & Summary                        │
│  • Each CVE → Apify dataset                │
│  • Summary: severity breakdown, year range  │
└─────────────────────────────────────────────┘

Rate limiting

The NVD API allows approximately 5 requests per 30-second window for unauthenticated users. The actor enforces a 6.5-second delay between requests to stay safely within this limit. For 10,000 results (100 pages), expect approximately 10-11 minutes of run time.

Date windowing

When you set a pubStartDate, the actor checks whether the total date range exceeds 119 days. If it does, the range is split into non-overlapping 119-day windows. Each window is paginated independently, and results are merged in order. For example, a 1-year date range produces 4 windows of ~90 days each.

Weakness filtering

The actor extracts CWE identifiers from the NVD weakness data and filters out two placeholder values that NVD uses when no specific weakness has been assigned:

• NVD-CWE-Other -- NVD used a different classification
• NVD-CWE-noinfo -- Insufficient information to assign a CWE

Remaining CWE identifiers are deduplicated.

How much does it cost to use?

Scenario	CVEs	Pages	Time	Est. cost
Single CVE lookup	1	1	~10 sec	~$0.001
Quick keyword search	100	1	~10 sec	~$0.001
Medium search	500	5	~40 sec	~$0.005
Large dataset	2,000	20	~3 min	~$0.01
Maximum extraction	10,000	100	~11 min	~$0.05

The NVD API is completely free. Apify's free tier includes $5 of monthly platform usage.

Limitations

1. 10,000 result maximum -- The actor caps at 10,000 results per run. Use date ranges to split larger datasets across multiple runs.
2. 6.5-second rate limit -- Without an NVD API key, the actor must wait 6.5 seconds between requests. Large searches are slow but reliable.
3. CVSS v2 fallback -- Older CVEs (pre-2015) may only have CVSS v2 scores. The actor falls back to v2 data when v3.1 is unavailable, but some CVSS v3.1 fields (attackVector, attackComplexity, etc.) will be empty strings.
4. English descriptions only -- The actor extracts only English-language CVE descriptions. Non-English descriptions are ignored.
5. 120-day window constraint -- Date ranges exceeding 120 days are split into multiple API requests. This is transparent but increases run time.
6. 10 references maximum -- Each CVE output includes at most 10 reference URLs, even if the NVD record contains more.
7. No CPE configuration data -- The actor does not extract the detailed CPE configuration/applicability data (which versions are affected). Use the NIST website for version-level analysis.
8. NVD data lag -- There can be a delay between when a CVE is assigned and when full CVSS scoring appears in the NVD.

Responsible use

• NVD data is public information maintained by NIST. Use it for security research, vulnerability management, and compliance reporting.
• Follow the NVD Terms of Use when using the data.
• Do not use CVE data to exploit vulnerabilities in systems you do not own or have authorization to test.
• When building security dashboards, ensure vulnerability information is presented accurately with appropriate context about CVSS scoring limitations.
• The 6.5-second rate limit is designed to respect NVD's shared infrastructure. Do not attempt to circumvent it.

FAQ

Do I need an NVD API key? No. The NVD API is publicly available without authentication. The actor handles rate limiting automatically.

How current is the data? The actor queries the NVD API in real time. NIST typically publishes new CVEs within hours of disclosure.

Can I search for vulnerabilities in a specific product? Yes. Use the CPE Product Name field with a CPE identifier like cpe:2.3:a:microsoft:windows_10. Find CPE names on the NVD CPE Dictionary.

What does the CVSS score mean? CVSS rates vulnerabilities on a 0-10 scale. Critical (9.0-10.0) means easy to exploit with severe impact. High (7.0-8.9) represents significant risk. Medium (4.0-6.9) and Low (0.1-3.9) indicate progressively lower severity.

Why does my search take so long? The NVD API rate limit (5 requests/30 seconds) means each page of 100 results requires a 6.5-second delay. A search returning 1,000 CVEs takes about 70 seconds. Long date ranges also increase time due to window splitting.

Can I look up a single CVE? Yes. Enter the CVE ID (e.g., "CVE-2021-44228") in the CVE ID field. This is the fastest query type.

What are CWE weaknesses? Common Weakness Enumeration (CWE) identifiers classify the type of software flaw (e.g., CWE-79 = Cross-site Scripting, CWE-89 = SQL Injection). The actor extracts and deduplicates these from each CVE record.

Integrations and related actors

The output dataset can be exported in JSON, CSV, or Excel format, or accessed programmatically via the Apify API. Use webhooks to trigger automated workflows when a run completes.

Related Actor	Description	Use with
CISA KEV Catalog	Known exploited vulnerabilities actively used in attacks	Cross-reference to prioritize patching
Website Tech Stack Detector	Identify software on your websites	Find CVEs affecting your tech stack
DNS Record Lookup	Map domain infrastructure	Build attack surface inventory
Censys Internet Host Search	Search internet-connected hosts	Identify exposed services with known CVEs
SSL Certificate Search	Certificate transparency logs	Discover domains for vulnerability scanning

Connect with any Apify integration including Google Sheets, Slack, Zapier, Make (Integromat), Amazon S3, and custom API endpoints to build automated vulnerability monitoring workflows.