U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.


This documentation assumes that you already understand at least one common programming language and are generally familiar with JSON RESTful services. JSON specifies the format of the data returned by the REST service. REST refers to a style of services that allow computers to communicate via HTTP over the Internet. Click here for a list of best practices and additional information on where to start. The NVD is also documenting popular workflows to assist developers working with the APIs.


The CPE API is used to easily retrieve information on a single CPE record or a collection of CPE records from the Official CPE Dictionary . The dictionary contains 1,265,584 CPE Names and more than 420,000 match strings. Because of this, the NVD enforces offset-based pagination to answer requests for large collections. Through a series of smaller “chunked” responses controlled by an offset startIndex and a page limit resultsPerPage users may page through all the records in the dictionary. For more information on the full CPE specification please refer to the Computer Security Resource Center.

The URL stem for retrieving CPE information is shown below.

Base URL



Match Criteria API

The CPE Match Criteria API is used to easily retrieve the complete list of valid CPE Match Strings. Unlike a CPE Name, match strings and match string ranges do not require a value in the part, vendor, product, or version components.

The URL stem for retrieving match criteria information is shown below.

Base URL



Questions, comments, or concerns may be shared with the NVD by emailing nvd@nist.gov

Created September 20, 2022 , Updated March 19, 2024