U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Status

Vulnerabilities within the NVD are derived from the CVE List which is maintained by processes upstream of the NVD. A common line of inquiry we receive is the about the difference between CVE statuses from the CVE program and the statuses assigned to vulnerabilities within the NVD. This page provides information regarding both sets of statuses and how they relate to each other.

CVE List Statuses

This table shows the CVE List statuses and what they mean, this information is derived from the CVE Program FAQs .

CVE List Status Description
RESERVED A CVE Entry is marked as "RESERVED" when it has been reserved for use by a CVE Numbering Authority (CNA) or security researcher, but the details of it are not yet populated. A CVE Entry can change from the RESERVED state to being populated at any time based on a number of factors both internal and external to the CVE List. 
PUBLISHED The CVE Entry is populated with details. These are a CVE Description and reference link[s] regarding details of the CVE.

When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE Entry assigned to that issue may be designated as being "DISPUTED". In these cases, CVE is making no determination as to which party is correct. Instead, we make note of this dispute and try to offer any public references that will better inform those trying to understand the facts of the issue.

When you see a CVE Entry that is "DISPUTED", we encourage you to research the issue through the references or by contacting the affected vendor or developer for more information.


A CVE Entry listed as "REJECT" is a CVE Entry that is not accepted as a CVE Entry. The reason a CVE Entry is marked REJECT will most often be stated in the description of the CVE Entry. Possible examples include it being a duplicate CVE Entry, it being withdrawn by the original requester, it being assigned incorrectly, or some other administrative reason.

As a rule, REJECT CVE Entries should be ignored.

NVD Statuses

This table shows the NVD statuses and what they mean.

NVD Status Description
Received CVE has been recently published to the CVE List and has been received by the NVD.
Awaiting Analysis CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Undergoing Analysis CVE is currently being analyzed by NVD staff, this process results in association of reference link tags, CVSS scores, CWE association, and CPE applicability statements.
Analyzed CVE has had analysis completed and all data associations made. Each Analysis has three sub-types, Initial, Modified and Reanalysis. Analyzed CVEs do not show a banner on the vulnerability detail page.
Initial: Used to show the first time analysis was performed on a given CVE.
Modified: Used to show that analysis was performed due to a modification the CVE’s information.
Reanalysis: Used to show that new analysis occurred, but was not due to a modification from an external source.

Modified CVE has been amended by a source (CVE Primary CNA or another CNA). Analysis data supplied by the NVD may be no longer be accurate due to these changes.
Deferred When a CVE is given this status the NVD does not plan analyze or re-analyze this CVE due to resource or other concerns.
Rejected CVE has been marked as "**REJECT**" in the CVE List. These CVEs are stored in the NVD, but do not show up in search results.

CVE List and NVD Status Comparison

This table shows how the statuses from each organization relate to each other.

CVE List Status NVD Status
RESERVED CVE not present in NVD


NVD Status Workflow Diagram

The workflow depicted below shows when a CVE status can change and whether it occurs by NVD staff decisions or changes to the CVE List information Graphic of Vulnerability Workflow

Created September 20, 2022 , Updated August 3, 2023