U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

NVD Data Feeds

NOTICE UPDATED - May, 29th 2024

The NVD has a new announcement page with status updates, news, and how to stay connected!

APIs and Data Feed Types

The following table contains links and short descriptions for each API or data feed the NVD offers. Please read how to keep up-to-date with NVD data when using the traditional data feeds.

Users of the data feeds provided on this page must have an understanding of the XML and/or JSON standards and XML or JSON related technologies as defined by www.w3.org.

Type Description
CVE and CPE APIs An alternative to the traditional vulnerability data feed files. The APIs are far more flexible and offer a richer dataset in a single interface compared to the JSON Vulnerability Feeds and CPE Match Feed.
JSON Vulnerability Feeds Each vulnerability in the file includes a description and associated reference links from the CVE® dictionary feed, as well as CVSS base metrics, vulnerable product configuration, and weakness categorization.
CPE Match Feed A feed that provides the product/platform applicability statement to CPE URI matching based on the CPEs in the official CPE dictionary.
Vulnerability Translation Feeds Translations of vulnerability feeds.
Vulnerability Vendor Comments Comments provided by vendors regarding a particular flaw affecting within a product.
CPE Dictionary dictionary containing a list of products.
Common Configuration Enumeration (CCE) Reference Data Reference data for common configuration items.


The 2.0 APIs are the preferred method for staying up to date with the NVD. Users interested in learning where to begin with the API should visit the NVD developers pages.

Benefits of the APIs over the traditional data feeds include:

  • The APIs are updated as frequently as our website (unlike the traditional feeds which have explicit update intervals)
  • The APIs provide search capabilities based on the Advanced search feature of the website
  • The APIs provide CVE and CPE based searching capabilities, including the ability to search for single CVE and CPE entries
  • The ability to view only the information that has changed since a given date or time
  • Simplified methods of identifying CPE matches to Applicability statements
CVE API Documentation CPE API Documentation
Automation Support for CVE Retrieval  Automation Support for CPE Retrieval

How to Keep Up-to-Date with the NVD Data Using the Traditional Feeds

The vulnerability feeds provide CVE® data organized by the first four digits of a CVE® identifier (except for the 2002 feeds which include vulnerabilities prior to and including "CVE-2002-"). If you are locally mirroring NVD data, either the APIs or the data feeds may be used to stay synchronized. After performing a one-time import of the complete data set using the compressed JSON vulnerability feeds, the "modified" feeds should be used to keep up-to-date.

Each feed is updated nightly, but only if the content of that feed has changed. For example, the 2004 feeds will be updated only if there is an addition or modification to any vulnerability with a starting CVE® identifier of "CVE-2004-". The "recent" feeds are a list of recently published vulnerabilities and the "modified" feeds are a list of recently published and modified vulnerabilities. The "recent" and "modified" feeds only contain vulnerabilities changed within the previous eight days. These feeds are updated approximately every two hours.

META Files

Users should always consult the META file to determine if a given feed has been updated since the last import. If no changes have been made there is no benefit to downloading either the .zip or .gz files. This approach should result in a reasonable use of less than 200 requests per day.

Each of the data feeds is described by an associated plain text file with the same name as the .xml/.json file with a .meta extension. These files are updated approximately every two hours to reflect changes within their respective feed file. For example, if the name of the file is nvdcve-1.1-Modified.json then the .meta file name will be nvdcve-1.1-Modified.meta. The .meta file contains information about the specific feed file including the last modified date and time, the size of the file uncompressed, and a SHA256 value of the uncompressed file:


JSON Feeds

These data feeds includes both previously offered and new NVD data points in an updated JSON format. The "year" feeds are updated once per day, while the "recent" and "modified" feeds are updated every two hours.


The NVD plans to retire all legacy data feeds while guiding any remaining data feed users to updated application-programming interfaces (APIs). APIs have many benefits over data feeds and have been the proven and preferred approach to web-based automation for over a decade. For additional information on the NVD API, please visit the developers pages. Click here for more information on the retirement timeline.

Schema Version 1.1 NVD JSON 1.1 Schema
Feed Updated Download Size (MB)
CVE-Modified 06/16/2024; 6:00:00 PM -0400 META
GZ 0.39 MB
ZIP 0.39 MB
CVE-Recent 06/16/2024; 6:00:00 PM -0400 META
GZ 0.15 MB
ZIP 0.15 MB
CVE-2024 06/16/2024; 3:00:05 AM -0400 META
GZ 2.71 MB
ZIP 2.71 MB
CVE-2023 06/16/2024; 3:00:26 AM -0400 META
GZ 6.87 MB
ZIP 6.87 MB
CVE-2022 06/16/2024; 3:00:51 AM -0400 META
GZ 6.23 MB
ZIP 6.23 MB
CVE-2021 06/14/2024; 3:01:17 AM -0400 META
GZ 6.56 MB
ZIP 6.56 MB
CVE-2020 06/12/2024; 3:01:40 AM -0400 META
GZ 5.58 MB
ZIP 5.58 MB
CVE-2019 06/12/2024; 3:01:58 AM -0400 META
GZ 4.52 MB
ZIP 4.52 MB
CVE-2018 06/12/2024; 3:02:13 AM -0400 META
GZ 3.96 MB
ZIP 3.96 MB
CVE-2017 06/08/2024; 3:01:29 AM -0400 META
GZ 3.65 MB
ZIP 3.65 MB
CVE-2016 06/05/2024; 3:02:33 AM -0400 META
GZ 2.57 MB
ZIP 2.57 MB
CVE-2015 06/05/2024; 3:02:41 AM -0400 META
GZ 2.15 MB
ZIP 2.15 MB
CVE-2014 06/11/2024; 3:05:44 AM -0400 META
GZ 2.24 MB
ZIP 2.24 MB
CVE-2013 06/05/2024; 3:02:49 AM -0400 META
GZ 2.29 MB
ZIP 2.29 MB
CVE-2012 06/13/2024; 3:02:39 AM -0400 META
GZ 1.93 MB
ZIP 1.93 MB
CVE-2011 06/05/2024; 3:03:03 AM -0400 META
GZ 1.73 MB
ZIP 1.73 MB
CVE-2010 06/05/2024; 3:03:09 AM -0400 META
GZ 1.84 MB
ZIP 1.84 MB
CVE-2009 06/11/2024; 3:06:27 AM -0400 META
GZ 1.87 MB
ZIP 1.87 MB
CVE-2008 05/18/2024; 3:02:30 AM -0400 META
GZ 2.07 MB
ZIP 2.07 MB
CVE-2007 06/05/2024; 3:03:15 AM -0400 META
GZ 2.02 MB
ZIP 2.02 MB
CVE-2006 05/17/2024; 3:03:50 AM -0400 META
GZ 2.04 MB
ZIP 2.04 MB
CVE-2005 05/17/2024; 3:03:55 AM -0400 META
GZ 1.29 MB
ZIP 1.29 MB
CVE-2004 05/17/2024; 3:03:58 AM -0400 META
GZ 0.82 MB
ZIP 0.82 MB
CVE-2003 06/16/2024; 3:01:01 AM -0400 META
GZ 0.42 MB
ZIP 0.42 MB
CVE-2002 06/11/2024; 3:06:36 AM -0400 META
GZ 1.41 MB
ZIP 1.41 MB

CPE Match Feed

This data feed provides a list of all CVE applicability statement match criteria (CPE match strings and CPE match ranges) and the CPE URIs from the official CPE dictionary that match. Data consumers can use this feed to enhance the CPE information provided in the JSON Vulnerability feeds. If a CPE URI expected to match a given criteria is missing, please contact cpe_dictionary@nist.gov as those CPEs may need approved to the official CPE dictionary. This feed is updated once per day.

Schema Version 1.0 NVD CPE Match Feed 1.0 Schema
Feed Updated Download Size (MB)
CPE-Match 06/15/2024; 12:22:31 AM -0400 META
GZ 40.04 MB
ZIP 40.04 MB

RSS Vulnerability Feeds


The RSS data feeds have been retired.

Vulnerability Vendor Comments

NVD provides a service whereby software development organizations can submit "Official Vendor Comments" on the set of CVE vulnerabilities that apply to their products. Organizations can submit comments by contacting NVD staff at nvd@nist.gov . More information is provided on the vendor comment page.

All of the vendors comments can be downloaded from the following XML feed which is updated every 2 hours:

Feed Updated Download Size (MB)
Vendor Comments 06/16/2024; 12:45:01 AM -0400 META
GZ 0.07 MB
ZIP 0.07 MB

NVD/CVE Translated XML Feed (version 1.0)

NVD provides an XML feed for translations of CVE vulnerabilities into other languages.

Currently, INCIBE (Spanish National Cybersecurity Institute) is translating vulnerabilities into Spanish. INCIBE is solely responsible for the Spanish translation content. Incibe Logo

Schema Version 1 NVD/CVE Translation XML Schema
Feed Updated Download Size (MB)
CVE-Modified 06/16/2024; 12:40:02 AM -0400 META
GZ 0.09 MB
ZIP 0.09 MB
CVE-2024 06/16/2024; 12:35:26 AM -0400 META
GZ 1.54 MB
ZIP 1.54 MB
CVE-2023 06/16/2024; 12:35:56 AM -0400 META
GZ 1.56 MB
ZIP 1.56 MB
CVE-2022 06/16/2024; 12:36:38 AM -0400 META
GZ 2.01 MB
ZIP 2.01 MB
CVE-2021 06/16/2024; 12:37:21 AM -0400 META
GZ 2.26 MB
ZIP 2.26 MB
CVE-2020 06/16/2024; 12:37:58 AM -0400 META
GZ 1.77 MB
ZIP 1.77 MB
CVE-2019 06/16/2024; 12:38:29 AM -0400 META
GZ 1.45 MB
ZIP 1.45 MB
CVE-2018 06/16/2024; 12:39:00 AM -0400 META
GZ 1.32 MB
ZIP 1.32 MB
CVE-2017 06/16/2024; 12:39:29 AM -0400 META
GZ 1.24 MB
ZIP 1.24 MB
CVE-2016 06/16/2024; 12:39:48 AM -0400 META
GZ 0.71 MB
ZIP 0.71 MB
CVE-2015 06/16/2024; 12:40:04 AM -0400 META
GZ 0.64 MB
ZIP 0.64 MB
CVE-2014 06/16/2024; 12:40:21 AM -0400 META
GZ 0.65 MB
ZIP 0.65 MB
CVE-2013 06/16/2024; 12:40:33 AM -0400 META
GZ 0.54 MB
ZIP 0.54 MB
CVE-2012 06/16/2024; 12:40:45 AM -0400 META
GZ 0.46 MB
ZIP 0.46 MB
CVE-2011 06/16/2024; 12:40:56 AM -0400 META
GZ 0.41 MB
ZIP 0.41 MB
CVE-2010 06/16/2024; 12:41:06 AM -0400 META
GZ 0.45 MB
ZIP 0.45 MB
CVE-2009 06/16/2024; 12:41:17 AM -0400 META
GZ 0.47 MB
ZIP 0.47 MB
CVE-2008 06/16/2024; 12:41:32 AM -0400 META
GZ 0.63 MB
ZIP 0.63 MB
CVE-2007 06/16/2024; 12:41:46 AM -0400 META
GZ 0.62 MB
ZIP 0.62 MB
CVE-2006 06/16/2024; 12:41:59 AM -0400 META
GZ 0.39 MB
ZIP 0.39 MB
CVE-2005 06/16/2024; 12:42:01 AM -0400 META
GZ 0.04 MB
ZIP 0.04 MB
CVE-2004 06/16/2024; 12:42:03 AM -0400 META
GZ 0.06 MB
ZIP 0.06 MB
CVE-2003 06/16/2024; 12:42:06 AM -0400 META
GZ 0.07 MB
ZIP 0.07 MB
CVE-2002 06/16/2024; 12:42:08 AM -0400 META
GZ 0.07 MB
ZIP 0.07 MB