The National Vulnerability Database (NVD) is the US government repository, maintained by NIST, that enriches every published CVE with a CVSS severity score, affected product data, and reference links — and knowing how to actually search and interpret it is a basic skill for anyone doing vulnerability management. This post walks through searching NVD directly, reading what it gives you, and where it fits alongside the tools that do the matching for you automatically.
What is the National Vulnerability Database, exactly?
NVD is not where CVEs are created — that happens through CVE Numbering Authorities and MITRE — but it is where each CVE gets enriched with a CVSS score, a list of affected Common Platform Enumeration (CPE) entries, weakness classification (CWE), and reference URLs to advisories and patches. NIST has run NVD since 2005, and it remains the most widely used free source for CVE metadata, even though several commercial and open alternatives (OSV, GitHub Advisory Database, vendor-specific feeds) now compete on speed and coverage in specific ecosystems.
How do you actually search NVD for a vulnerability?
The web interface at nvd.nist.gov lets you search by CVE ID directly, by keyword (a product or vendor name), by CPE, or by date range and severity filter. A keyword search for a library name returns every CVE where NVD has matched that product in its CPE dictionary, which is useful for a manual lookup but does not scale to auditing an entire dependency tree — for that, you want the API or a tool that automates the CPE matching for you. The NVD API (api.nist.gov) returns the same data as JSON and is the practical entry point for any automated workflow, though it is rate-limited without an API key.
How should you read a CVSS score once you find it?
NVD typically shows both a CVSS base score and its vector string, e.g. a string encoding attack vector, complexity, privileges required, and impact. The base score alone tells you severity in the abstract; the vector tells you the conditions under which that severity applies, which matters because a 9.8 requiring local access is a very different real-world risk than a 9.8 exploitable remotely and unauthenticated. NVD has been publishing CVSS v3.1 scores for years and has been rolling out CVSS v4.0 scoring for newer entries, so pay attention to which version a given score uses when comparing across CVEs.
What is a vulnerability assessment doing differently from an NVD lookup?
A vulnerability assessment is the broader process — scanning your actual systems or codebase, matching what you find against databases like NVD, and prioritizing based on your environment, not just the abstract CVSS score. NVD lookup is one input into that process, not the whole thing. A vulnerability test that only checks "is this CVE in NVD" without checking whether the vulnerable code path is reachable in your application will over-flag far more than it should — reachability and exploit context are what turn a raw NVD score into an actionable priority.
Where does NVD fall short for a real engineering workflow?
Coverage lag is the recurring complaint — NVD has had periods, notably in 2024, where its analysis backlog grew and newly published CVEs sat without full CPE enrichment for weeks. Teams that depend on NVD as their sole source for automated matching have felt that lag directly, since incomplete CPE data means automated tools can miss a match even though the CVE exists. That is why most serious SCA tooling blends NVD with other feeds — GitHub Advisory Database, OSV, and vendor advisories — rather than relying on NVD alone for freshness.
How does this connect to software composition analysis in practice?
SCA tools do at scale what a manual NVD search does one CVE at a time: match your dependency tree against known-vulnerable versions, pull in CVSS and CWE context, and layer prioritization on top. Manually cross-referencing NVD entries against a large dependency graph does not scale past a handful of libraries, which is the whole reason automated SCA exists. See our SCA product page for how that matching and prioritization work end to end.
FAQ
Is the National Vulnerability Database the same thing as CVE.org? No. CVE.org (run by MITRE) is where CVE identifiers are assigned and get a minimal record; NVD enriches those same CVE IDs with CVSS scores, CPE matches, and CWE classification. They are complementary, not competing, databases.
Do I need an API key to use the NVD API? Not strictly, but without one you are limited to a low request rate, which is fine for occasional manual lookups and impractical for scanning a real dependency tree. A free API key raises the rate limit substantially.
Why does NVD sometimes lag behind a CVE's public disclosure? NVD enrichment (CVSS scoring, CPE matching) is a manual analytical step separate from CVE publication, and analyst capacity has not always kept pace with CVE volume — 2024 saw a well-documented backlog. Newer CVEs may exist in the CVE list before NVD finishes enriching them.
Can I rely on NVD alone for vulnerability assessment? For a quick manual check, yes. For an ongoing program, no — pairing NVD with faster-updating feeds and reachability analysis (rather than raw CVSS alone) gives a far more accurate picture of what actually needs fixing first.