) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
Vulnerability Status
Vulnerability records within the NVD dataset are sourced from the CVE List, which is maintained by the CVE Program, upstream of the NVD. This page provides information regarding both the CVE Program and NVD sets of statuses and how they relate to each other.
CVE List Statuses
This information is derived from the CVE Program FAQs.
| CVE List Status | Description |
|---|---|
| RESERVED |
A CVE Record is marked as “RESERVED” when it has been reserved for use by a CVE Numbering Authority (CNA) or security researcher, but the details of it are not yet published. “RESERVED” is the initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA. A CVE Record can change from the RESERVED state to being published at any time based on a number of factors both internal and external to the CVE List. Note: Reserved CVE Records are not included in the NVD dataset. |
| PUBLISHED | A CNA has populated the data associated with the CVE ID and published the CVE Record. |
| REJECT |
A CVE Record listed as “REJECTED” is a CVE Record that is not accepted as a CVE Record. The reason a CVE Record is marked REJECTED will most often be stated in the description of the CVE Record. Possible examples include it being a duplicate CVE Record, it being withdrawn by the original requester, it being assigned incorrectly, or some other administrative reason. As a rule, REJECTED CVE Records should be ignored and the CVE ID and the associated CVE Record should no longer be used. A REJECTED CVE Record remains on the CVE List so that users know that the CVE ID and CVE Record are invalid. |
NVD Statuses
| NVD Status | Description |
|---|---|
| Received | The CVE has recently been published to the CVE List and has been included within the NVD dataset. |
| Awaiting Analysis | The CVE has been marked for NVD enrichment efforts. |
| Undergoing Analysis | The CVE is currently being enriched by team members, this process results in the association of reference link tags, CVSS, CWE, and CPE applicability statement data. |
| Analyzed | The CVE has had enrichment completed. CVEs in this status do not show a banner on the vulnerability detail page. |
| Modified | The CVE record has been updated after NVD enrichment efforts were completed. Enrichment data supplied by the NVD may require amendment due to these changes. |
| Deferred | The CVE is not being prioritized for NVD enrichment efforts due to resource or other concerns. |
| Rejected | The CVE has been marked Rejected in the CVE List. These CVEs are stored in the NVD, but do not show up in search results by default. |
CVE List and NVD Status Comparison
This table shows how the statuses from each organization relate to each other.
| CVE List Status | NVD Status |
|---|---|
| RESERVED | Not included in NVD dataset |
PUBLISHED |
RECEIVED AWAITING ANALYSIS UNDERGOING ANALYSIS ANALYZED MODIFIED DEFERRED |
| REJECTED | REJECTED |
NVD Status Workflow Diagram
The workflow depicted below shows when a CVE status can change and whether it occurs by NVD staff
decisions or changes to the CVE List information
