NVD Data Feeds

The entire NVD database can be downloaded from this web page for public use. All NIST publications are available in the public domain according to Title 17 of the United States Code, however acknowledgement of the NVD when using our information is always appreciated.

The following feeds are available:

• JSON Vulnerability Feeds – Each vulnerability in the file includes a description and associated reference links from the CVE® dictionary feed, as well as CVSS base scores, vulnerable product configuration, and weakness categorization.
• STIX Vulnerability Feeds – NVD data using the Structured Threat Information Expression (STIX™) format.
• CPE Match Feed – A feed that provides the product/platform applicability statement to CPE URI matching based on the CPEs in the official CPE dictionary.
• RSS Vulnerability Feeds – An eight day window of security related software flaws.
• Vulnerability Translation Feeds – Translations of vulnerability feeds.
• Vulnerability Vendor Comments – Comments provided by vendors regarding a particular flaw affecting within a product.
• CPE Dictionary – dictionary containing a list of products.
• Common Configuration Enumeration (CCE) Reference Data – Reference data for common configuration items.
• National Checklist Program (NCP) Checklists  – A list of all of the checklists categorized by the NCP.

How to keep up-to-date with the NVD data
The main vulnerability feeds provide CVE® data organized by the first four digits of a CVE® identifier except for the 2002 feeds which include vulnerabilities prior to and including "CVE-2002-".  Each feed is updated only if the content of that feed has changed. For example the 2004 feeds will be updated only if there is an addition or modification to any vulnerability with a starting CVE® identifier of "CVE-2004-". In addition, the "recent" feeds are a list of recently published vulnerabilities and the "modified" feeds are a list of recently published and modified vulnerabilities where "recently" and "modified" are defined as the previous eight days. These feeds are updated approximately every two hours.
 

If you are locally mirroring the NVD data, the data feeds should be used to stay synchronized. After performing a one-time import of the complete data set using the compressed XML/JSON vulnerability feeds, the "modified" feeds should be used to keep up-to-date. The META file should be used to determine if a given feed has been updated since your last import. This helps prevent unnecessary downloads of the .zip or .gz files and should result in a reasonable use of less than 200 requests per day.

META Files

In addition, each of the data feeds is described by an associated plain text file with the same name as the .xml file with a .meta extension. These files are updated approximately every two hours to reflect changes within their respective feed file. For example, if the name of the file is nvdcve-2.0-Modified.xml then the .meta file name will be nvdcve-2.0-Modified.meta. The .meta file contains information about the specific feed including the last modified date and time, the size of the file uncompressed, and a SHA256 value of the uncompressed file:

JSON Feeds

NVD is now offering a vulnerability data feed using the JSON format. This data feed includes both previously offered and new NVD data points. Changes made throughout the BETA phase are visible by viewing the changelog.

XML Vulnerability Feeds

CPE Match Feed

This data feed provides a list of all CVE applicability statement match criteria (CPE match strings and CPE match ranges) and the CPE URIs from the official CPE dictionary that match. If a CPE URI expected to match a given criteria is missing, please contact cpe_dictionary@nist.gov as those CPEs may need approved to the official CPE dictionary. This feed is updated on a daily basis.

RSS Vulnerability Feeds

NVD provides two RSS 1.0 data feeds. The first feed, nvd-rss.xml (zip or gz), provides information on all vulnerabilities within the previous eight days. The second feed, nvd-rss-analyzed.xml (zip or gz), provides only vulnerabilities which have been analyzed within the previous eight days. The advantage of the second feed is that we are able to provide vulnerable product names in the title. The advantage of the former is that you learn about new vulnerabilities as soon as possible.

Vulnerability Vendor Comments

NVD provides a service whereby software development organizations can submit "Official Vendor Comments" on the set of CVE vulnerabilities that apply to their products. Organizations can submit comments by contacting NVD staff at nvd@nist.gov. More information is provided on the vendor comment page.

All of the vendors comments can be downloaded from the following XML feed which is updated every 2 hours:

NVD/CVE Translated XML Feed (version 1.0)

NVD provides an XML feed for translations of CVE vulnerabilities into other languages.

Currently, INCIBE (Spanish National Cybersecurity Institute) is translating vulnerabilities into Spanish. INCIBE is solely responsible for the Spanish translation content.

NVD/CVE Translation XML Schema File: nvdcvetrans.xsd

National Checklist Program (NCP) Checklists

NCP/Checklist XML 0.1 Information:
ncp-checklist-feed_0.2.xsd

NCP/Checklist XML 0.1 Data Files: checklist-0.1-feed.xml (zip or gz)
checklist-0.1-feed-modified.xml (zip or gz)

checklist-0.1-feed.xml includes all checklists contained within the NCP repository checklist-0.1-feed-modified.xml includes all recently modified checklists within the NCP repository