National Vulnerability Database

news updates:

• May 19, 2025:  NVD Technical Update

  We plan to deploy updates to NVD systems the week of May 19, 2025. This deployment includes the following relevant changes:

  Legacy Data Feed Files Update

  As stated in the February 24, 2025 Technical Update, we will be providing data feed files that reflect the 2.0 /cves/, /cpematch/ and /cpes/ API response content. These new data feed files will be made available at https://nvd.nist.gov/vuln/data-feeds#divJson20Feeds. 

  The 2.0 vulnerability feeds follow the same approach as the previous 1.1 vulnerability feed files. They are broken out by “year” and accompanied by the “Recent” and “Modified” feed files.

  Due to the volume of data within the CPE Match 2.0 and CPE Dictionary 2.0 files, the content has been broken into smaller “chunks”. Each chunk should be schema valid and reflect the same structure and formatting as the 2.0 API responses. Additionally, the CPE Match 2.0 and CPE Dictionary 2.0 are provided as tar.gz instead of .gz files. 

  The following unsupported legacy data feed files will remain available in parallel until August 20th, 2025 as a courtesy. After that time, the legacy data feed files will be removed from the data feeds page and will no longer be accessible. 

  • The 1.1 Vulnerability Feeds
  • The 1.0 CPE Match Feed
  • The Official CPE 2.3 Dictionary .zip and .gz 

  Any organizations making use of the legacy feed files will need to update their systems to use the 2.0 APIs or the 2.0 data feed files.  

  Looking Ahead...

  Network Services Migration

  NVD infrastructure will be migrating network services. We intend to migrate in a phased approach. Beginning with the website, other services and then the APIs. As part of this transition, users will notice that requests being rate limited will now provide a status code of 429 instead of a status code of 403 “Forbidden by Administrative Rules”.

• April 2, 2025: NVD General Announcement
  
  (Note: this statement was updated on April 10, 2025 to clarify which CVEs will be deferred.)

  All CVEs with a published date prior to 01/01/2018 that are awaiting further enrichment will be marked as Deferred within the NVD dataset.

  We are assigning this status to older CVEs to indicate that we do not plan to prioritize updating their enrichment data due to the CVE’s age.

  CVEs marked as Deferred will display a banner on their CVE Detail Pages indicating this status.

  This change will take place over the span of several nights. We are doing this to provide additional clarity regarding which CVE records are prioritized.
  
  We will continue to accept and review requests to update the metadata provided for these CVE records. Should any new information clearly indicate that an update to the enrichment data for the CVE is appropriate, we will continue to prioritize those requests as time and resources allow.

  In addition, we will prioritize any CVEs that are added to the KEV regardless of status.
   

• March 19, 2025: NVD General Update
  
  This update provides information on our progress as we work to process incoming CVEs and to address the backlog of CVEs that have not been fully processed:
  
  We are currently processing incoming CVEs at roughly the rate we had sustained prior to the processing slowdown in spring and early summer of 2024. However, CVE submissions increased 32 percent in 2024, and that prior processing rate is no longer sufficient to keep up with incoming submissions. As a result, the backlog is still growing.

  We anticipate that the rate of submissions will continue to increase in 2025. The fact that vulnerabilities are increasing means that the NVD is more important than ever in protecting our nation’s infrastructure. However, it also points to increasing challenges ahead.

  To address these challenges, we are working to increase efficiency by improving our internal processes, and we are exploring the use of machine learning to automate certain processing tasks.
   

• March 11, 2025: NVD Technical Update

  Attention Vulnerability API users that utilize parameters lastModStartDate and lastModEndDate: 

  Due to an internal issue with processing analyzed CVEs, please reset your lastModStartDate to ‘2025-02-26T00:00:00.000’.  This will ensure all CVE updates are applied appropriately in your environment.  We apologize for the inconvenience.

• February 24, 2025:  NVD Technical Update

  We plan to deploy updates to NVD systems the week of February 24, 2025. This deployment includes the following relevant changes:

  2.0 API Changes

  • The /cves/ schema has been updated to version 2.2.2
  • Removed the minItems and maxItems restrictions from #definitions/cve_item/properties/references
  • Resolved incongruent CVSS v4.0 property labels within the JSON responses
  • Implemented multiple performance and stability improvements to the infrastructure and workflows supporting the APIs.

  Looking Ahead...

  Legacy Data Feed Files Update

  We are planning to retire and replace the following legacy data feed files with complimentary data feed files that reflect the 2.0 /cves/, /cpematch/ and /cpes/ API response content.

  • The 1.1 Vulnerability Feeds with /cves/ 2.0 compliant files.
  • The 1.0 CPE Match Feed with a /cpematch/ 2.0 compliant file.
  • The Official CPE 2.3 Dictionary .zip and .gz with /cpes/ 2.0 compliant files.

  While we originally intended to move away from supporting this type of bulk download capability, circumstances have redirected our efforts from other, preferred approaches.

  Once these updates are made available, the unsupported legacy data feed files will remain available in parallel for 3 months as a courtesy. After that time, the legacy 1.1 feed files will no longer be accessible. Any organizations making use of the legacy feed files will need to update their systems to use the 2.0 APIs or the 2.0 data feed files.

More historical updates