publicdata/nist-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nist-gov/nvd.nist.gov/developers/vulnerabilities
Scott Williams db1ee937b0 Update NVD
2025-03-19 03:50:26 +00:00

2217 lines
No EOL
96 KiB
Text
Raw Blame History

<!DOCTYPE html>
<html lang="en">
<head>
<title>Vulnerability APIs</title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<meta http-equiv="content-style-type" content="text/css" />
<meta http-equiv="content-script-type" content="text/javascript" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link href="/site-scripts/font-awesome/css/font-awesome.min.css"
type="text/css" rel="stylesheet" />
<link href="/site-media/bootstrap/css/bootstrap.min.css"
type="text/css" rel="stylesheet" />
<link href="/site-media/bootstrap/css/bootstrap-theme.min.css"
type="text/css" rel="stylesheet" />
<link
href="/site-scripts/eonasdan-bootstrap-datetimepicker/build/css/bootstrap-datetimepicker.min.css"
type="text/css" rel="stylesheet" />
<link href="/site-media/css/nist-fonts.css" type="text/css"
rel="stylesheet" />
<link href="/site-media/css/base-style.css" type="text/css"
rel="stylesheet" />
<link href="/site-media/css/media-resize.css" type="text/css"
rel="stylesheet" />
<meta name="theme-color" content="#000000">
<script src="/site-scripts/jquery/dist/jquery.min.js"
type="text/javascript"></script>
<script src="/site-scripts/jquery-visible/jquery.visible.min.js"
type="text/javascript"></script>
<script src="/site-scripts/underscore/underscore-min.js"
type="text/javascript"></script>
<script src="/site-media/bootstrap/js/bootstrap.js"
type="text/javascript"></script>
<script src="/site-scripts/moment/min/moment.min.js"
type="text/javascript"></script>
<script
src="/site-scripts/eonasdan-bootstrap-datetimepicker/build/js/bootstrap-datetimepicker.min.js"
type="text/javascript"></script>
<script src="/site-media/js/megamenu.js" type="text/javascript"></script>
<script src="/site-media/js/nist-exit-script.js"
type="text/javascript"></script>
<script src="/site-media/js/forms.js" type="text/javascript"></script>
<script
src="/site-media/js/federated-analytics.all.min.js?agency=NIST&amp;subagency=nvd&amp;pua=UA-37115410-41&amp;yt=true"
type="text/javascript" id="_fed_an_js_tag"></script>
<!-- Google tag (gtag.js) -->
<script async src="https://www.googletagmanager.com/gtag/js?id=G-4KKFZP12LQ"></script>
<script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-4KKFZP12LQ'); </script>
<style id="antiClickjack">
body>* {
display: none !important;
}
#antiClickjack {
display: block !important;
}
</style>
<noscript>
<style id="antiClickjackNoScript">
body>* {
display: block !important;
}
#antiClickjack {
display: none !important;
}
</style>
</noscript>
<script type="text/javascript" id="antiClickjackScript">
if (self === top) {
// no clickjacking
var antiClickjack = document.getElementById("antiClickjack");
antiClickjack.parentNode.removeChild(antiClickjack);
} else {
setTimeout(tryForward(), 5000);
}
function tryForward() {
top.location = self.location;
}
</script>
<meta charset="UTF-8">
<link href="/site-media/css/nvd-style.css" type="text/css"
rel="stylesheet" />
<link href="/site-media/images/favicons/apple-touch-icon.png"
rel="apple-touch-icon" type="image/png" sizes="180x180" />
<link href="/site-media/images/favicons/favicon-32x32.png"
rel="icon" type="image/png" sizes="32x32" />
<link href="/site-media/images/favicons/favicon-16x16.png"
rel="icon" type="image/png" sizes="16x16" />
<link href="/site-media/images/favicons/manifest.json"
rel="manifest" />
<link href="/site-media/images/favicons/safari-pinned-tab.svg"
rel="mask-icon" color="#000000" />
<link href="/site-media/images/favicons/favicon.ico"
rel="shortcut icon" />
<meta name="msapplication-config" content="/site-media/images/favicons/browserconfig.xml" />
<link href="/site-media/images/favicons/favicon.ico"
rel="shortcut icon" type="image/x-icon" />
<link href="/site-media/images/favicons/favicon.ico" rel="icon"
type="image/x-icon" />
<meta charset="UTF-8">
<link href="/site-media/css/apiKey/api-styles.css" type="text/css" rel="stylesheet"/>
<meta name="viewport1" content="width=device-width, initial-scale=1">
<script>
$(document).ready(
function() {
// get hash/anchor_id from url
var hash = window.location.hash;
// if hash exists, expand the section and scroll to hash
if(hash.startsWith("#cves-")) {
toggleMoreCode('divGetCveParameters', 'iconCveParams');
$('html, body').animate({
scrollTop: $(hash).offset().top
}, 1000);
}
});
function toggleMoreCode(elementId, iconId) {
var x = document.getElementById(elementId);
if (x.style.display === "none") {
x.style.display = "block";
} else {
x.style.display = "none";
}
if(typeof iconId !== 'undefined') {
var y = document.getElementById(iconId);
if (x.style.display === "block") {
y.classList.add("fa-minus");
y.classList.remove("fa-plus");
} else {
y.classList.add("fa-plus");
y.classList.remove("fa-minus");
}
}
}
</script>
<style>
</style>
<meta name="viewport1" content="width=device-width, initial-scale=1">
</head>
<body>
<header role="banner" title="Site Banner">
<div id="antiClickjack" style="display: none">
<h1>You are viewing this page in an unauthorized frame window.</h1>
<p>
This is a potential security issue, you are being redirected to
<a href="https://nvd.nist.gov">https://nvd.nist.gov</a>
</p>
</div>
<div>
<section class="usa-banner" aria-label="Official government website">
<div class="usa-accordion container">
<header class="usa-banner__header">
<noscript>
<p style="font-size: 0.85rem; font-weight: bold;">You have JavaScript disabled. This site requires JavaScript to be enabled for complete site functionality.</p>
</noscript>
<img class="usa-banner__header-flag"
src="/site-media/images/usbanner/us_flag_small.png" alt="U.S. flag">
&nbsp;
<span class="usa-banner__header-text">An official website of the United States government</span>
<button id="gov-banner-button" class="usa-accordion__button usa-banner__button" data-toggle="collapse" data-target="#gov-banner" aria-expanded="false" aria-controls="gov-banner">
<span class="usa-banner__button-text">Here's how you know</span>
</button>
</header>
<div class="usa-banner__content usa-accordion__content collapse" role="tabpanel" id="gov-banner" aria-expanded="true">
<div class="row">
<div class="col-md-5 col-sm-12">
<div class="row">
<div class="col-sm-2 col-xs-3">
<img class="usa-banner__icon usa-media-block__img"
src="/site-media/images/usbanner/icon-dot-gov.svg" alt="Dot gov">
</div>
<div class="col-sm-10 col-xs-9">
<p>
<strong>Official websites use .gov</strong>
<br>
A <strong>.gov</strong> website belongs to an official government organization in the United States.
</p>
</div>
</div>
</div>
<div class="col-md-5 col-sm-12">
<div class="row">
<div class="col-sm-2 col-xs-3">
<img class="usa-banner__icon usa-media-block__img"
src="/site-media/images/usbanner/icon-https.svg" alt="Https">
</div>
<div class="col-sm-10 col-xs-9">
<p>
<strong>Secure .gov websites use HTTPS</strong>
<br>
A <strong>lock</strong> (<img class="usa-banner__lock"
src="/site-media/images/usbanner/lock.svg" alt="Dot gov">) or <strong>https://</strong> means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
</p>
</div>
</div>
</div>
</div>
</div>
</div>
</section>
</div>
<div>
<div>
<nav id="navbar" class="navbar">
<div id="nist-menu-container" class="container">
<div class="row">
<!-- Brand -->
<div class="col-xs-6 col-md-4 navbar-header"
style="height:104px">
<a class="navbar-brand"
href="https://www.nist.gov"
target="_blank" rel="noopener noreferrer"
id="navbar-brand-image"
style="padding-top: 36px">
<img alt="National Institute of Standards and Technology"
src="/site-media/images/nist/nist-logo.svg"
width="110" height="30">
</a>
</div>
<div class="col-xs-6 col-md-8 navbar-nist-logo">
<span id="nvd-menu-button" class="pull-right" style="margin-top: 26px"> <a href="#">
<span class="fa fa-bars"></span> <span id="nvd-menu-full-text"><span
class="hidden-xxs">NVD </span>MENU</span>
</a>
</span>
</div>
</div>
</div>
<div class="main-menu-row container">
<!-- Collect the nav links, forms, and other content for toggling -->
<div id="main-menu-drop" class="col-lg-12" style="display: none;">
<ul>
<li><a href="/general"> General <span
class="expander fa fa-plus" id="nvd-header-menu-general"
data-expander-name="general" data-expanded="false"> <span
class="element-invisible">Expand or Collapse</span>
</span>
</a>
<div style="display: none;" class="sub-menu"
data-expander-trigger="general">
<div class="row">
<div class="col-lg-4">
<p>
<a href="/general/nvd-dashboard">NVD Dashboard</a>
</p>
<p>
<a href="https://www.nist.gov/itl/nvd">News and Status Updates</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a href="/general/faq">FAQ</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a href="/general/visualizations">Visualizations</a>
</p>
<p>
<a href="/general/legal-disclaimer">Legal Disclaimer</a>
</p>
</div>
</div>
</div></li>
<li><a href="/vuln"> Vulnerabilities <span
class="expander fa fa-plus"
id="nvd-header-menu-vulnerabilities"
data-expander-name="vulnerabilities" data-expanded="false">
<span class="element-invisible">Expand or Collapse</span>
</span>
</a>
<div style="display: none;" class="sub-menu"
data-expander-trigger="vulnerabilities">
<div class="row">
<div class="col-lg-4">
<p>
<a href="/vuln/search">Search &amp; Statistics</a>
</p>
<p>
<a href="/vuln/categories">Weakness Types</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a href="/vuln/data-feeds">Legacy Data Feeds</a>
</p>
<p>
<a href="/vuln/vendor-comments">Vendor Comments</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a href="/vuln/cvmap">CVMAP</a>
</p>
</div>
</div>
</div></li>
<li><a href="/vuln-metrics/cvss#"> Vulnerability Metrics <span
class="expander fa fa-plus" id="nvd-header-menu-metrics"
data-expander-name="metrics" data-expanded="false"> <span
class="element-invisible">Expand or Collapse</span>
</span>
</a>
<div style="display: none;" class="sub-menu"
data-expander-trigger="metrics">
<div class="row">
<div class="col-lg-4">
<p>
<a href="/vuln-metrics/cvss/v4-calculator">CVSS v4.0
Calculators</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a href="/vuln-metrics/cvss/v3-calculator">CVSS v3.x
Calculators</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a href="/vuln-metrics/cvss/v2-calculator">CVSS v2.0
Calculator</a>
</p>
</div>
</div>
</div></li>
<li><a href="/products"> Products <span
class="expander fa fa-plus" id="nvd-header-menu-products"
data-expander-name="products" data-expanded="false"> <span
class="element-invisible">Expand or Collapse</span>
</span>
</a>
<div style="display: none;" class="sub-menu"
data-expander-trigger="products">
<div class="row">
<div class="col-lg-4">
<p>
<a href="/products/cpe">CPE Dictionary</a>
</p>
<p>
<a href="/products/cpe/search">CPE Search</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a href="/products/cpe/statistics">CPE Statistics</a>
</p>
<p>
<a href="/products/swid">SWID</a>
</p>
</div>
<div class="col-lg-4"></div>
</div>
</div></li>
<li>
<a href="/developers">Developers<span
class="expander fa fa-plus" id="nvd-header-menu-developers"
data-expander-name="developers" data-expanded="false"> <span
class="element-invisible">Expand or Collapse</span>
</span>
</a>
<div style="display: none;" class="sub-menu"
data-expander-trigger="developers">
<div class="row">
<div class="col-lg-4">
<p>
<a href="/developers/start-here">Start Here</a>
</p>
<p>
<a href="/developers/request-an-api-key">Request an API Key</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a href="/developers/vulnerabilities">Vulnerabilities</a>
</p>
<p>
<a href="/developers/products">Products</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a href="/developers/data-sources">Data Sources</a>
</p>
<p>
<a href="/developers/terms-of-use">Terms of Use</a>
</p>
</div>
</div>
</div>
</li>
<li><a href="/contact"> Contact NVD </a></li>
<li><a href="/other"> Other Sites <span
class="expander fa fa-plus" id="nvd-header-menu-othersites"
data-expander-name="otherSites" data-expanded="false"> <span
class="element-invisible">Expand or Collapse</span>
</span>
</a>
<div style="display: none;" class="sub-menu"
data-expander-trigger="otherSites">
<div class="row">
<div class="col-lg-4">
<p>
<a href="https://ncp.nist.gov">Checklist (NCP) Repository</a>
</p>
<p>
<a href="https://ncp.nist.gov/cce">Configurations (CCE)</a>
</p>
<p>
<a href="https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search">800-53 Controls</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a
href="https://csrc.nist.gov/projects/scap-validation-program">SCAP
Validated Tools</a>
</p>
<p>
<a
href="https://csrc.nist.gov/projects/security-content-automation-protocol">SCAP</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a
href="https://csrc.nist.gov/projects/united-states-government-configuration-baseline">USGCB</a>
</p>
</div>
</div>
</div></li>
<li><a href="/search"> Search <span
class="expander fa fa-plus" id="nvd-header-menu-search"
data-expander-name="search" data-expanded="false"> <span
class="element-invisible">Expand or Collapse</span>
</span>
</a>
<div style="display: none;" class="sub-menu"
data-expander-trigger="search">
<div class="row">
<div class="col-lg-4">
<p>
<a href="/vuln/search">Vulnerability Search</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a href="/products/cpe/search">CPE Search</a>
</p>
</div>
</div>
</div></li>
</ul>
</div>
<!-- /#mobile-nav-container -->
</div>
</nav>
<section id="itl-header" class="has-menu">
<div class="container">
<div class="row">
<div class="col-sm-12 col-md-8">
<h2 class="hidden-xs hidden-sm">
<a href="https://www.nist.gov/itl" target="_blank" rel="noopener noreferrer">Information Technology Laboratory</a>
</h2>
<h1 class="hidden-xs hidden-sm">
<a id="nvd-header-link"
href="/">National Vulnerability Database</a>
</h1>
<h1 class="hidden-xs text-center hidden-md hidden-lg"
>National Vulnerability Database</h1>
<h1 class="hidden-sm hidden-md hidden-lg text-center"
>NVD</h1>
</div>
<div class="col-sm-12 col-md-4">
<a style="width: 100%; text-align: center; display: block;padding-top: 14px">
<img id="img-logo-nvd-lg"
alt="National Vulnerability Database"
src="/site-media/images/F_NIST-Logo-NVD-white.svg"
width="500" height="100">
</a>
</div>
</div>
</div>
</section>
</div>
</div>
</header>
<main>
<div>
<div id="body-section" class="container">
<div class="row">
<ol class="breadcrumb">
<li><a href="/developers" class="CMSBreadCrumbsLink">Developers</a></li>
</ol>
</div>
<div>
<div id="divVulnerabilityApis" class="row">
<h2>Vulnerabilities</h2>
<p>
This documentation assumes that you already understand at least one common programming
language and are generally familiar with JSON RESTful services. JSON specifies the
format of the data returned by the REST service. REST refers to a style of services
that allow computers to communicate via HTTP over the Internet.
Click here for a list of
<a href="/developers/start-here">best practices and additional information</a>
on where to start. The NVD is also documenting
<a href="/developers/api-workflows">popular workflows</a> to assist developers
working with the APIs.
</p>
</div>
<div id="divGetCves" class="row">
<h3>CVE API</h3>
<p>
The CVE API is used to easily retrieve information on a single CVE or a collection
of CVE from the NVD. The NVD contains <span id="apiCveCount">285,640</span>
CVE records. Because of this, its APIs enforce
offset-based pagination to answer requests for large collections. Through a series of
smaller “chunked” responses controlled by an offset <code>startIndex</code> and a page
limit <code>resultsPerPage</code> users may page through all the CVE in the NVD.
</p>
<p>
The URL stem for retrieving CVE information is shown below.
</p>
</div>
<div id= cvesBase class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Base URL</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0</code></pre>
</div>
<h4 title="Click to expand or collapse">
<a id="toggleGetCveParameters"
onclick="toggleMoreCode('divGetCveParameters', 'iconCveParams')">
<span class="fa fa-plus" id="iconCveParams"></span>
Parameters
</a>
</h4>
<div id="divGetCveParameters" class="row" style="display: none">
<table class="table">
<tr>
<td>
<a id="cves-cpeName"><span class="paramName">cpeName <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>{name}</code></li>
</ul>
<p>
This parameter returns all CVE associated with a specific CPE.
The exact value provided with <code>cpeName</code> is compared
against the CPE Match Criteria within a CVE applicability
statement. If the value of <code>cpeName</code> is considered
to match, the CVE is included in the results.
</p>
<p>
A CPE Name is a string of characters comprised of 13 colon separated values that
describe a product. In CPEv2.3 the first two values are always “cpe” and “2.3”.
The 11 values that follow are referred to as the CPE components.
When filtering by <code>cpeName</code> the part, vendor, product, and version components
are <span class="paramRequired">required</span> to contain values other than "*".
</p>
<p>
CPE Match Criteria comes in two forms: CPE Match Strings and CPE Match String Ranges.
Both are abstract concepts that are then correlated to CPE URIs in the Official CPE
Dictionary. Unlike a CPE Name, match strings and match string ranges do not require
a value in the part, vendor, product, or version components. The CVE API returns
CPE Match Criteria within the <span class="json-obj">configurations</span> object.
</p>
<div id= cves-cpeName-request-1 class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request the CVE associated a specific CPE</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*</code></pre>
</div>
<br>
<div id="cves-cpeName-request-2" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request the CVE associated a specific CPE using an incomplete name</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:o:microsoft:windows_10:1607 </code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-cveId"><span class="paramName">cveId <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>{CVE-ID}</code></li>
</ul>
<p>
This parameter returns a specific vulnerability identified by its unique
Common Vulnerabilities and Exposures identifier (the CVE ID).
<code>cveId</code> will not accept <code>{CVE-ID}</code> for vulnerabilities not yet
published in the NVD.
</p>
<div id="cves-cveId-request" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request a specific CVE using its CVE-ID</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2019-1010218</code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-cveTags"><span class="paramName">cveTag <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>disputed</code></li>
<li><code>unsupported-when-assigned</code></li>
<li><code>exclusively-hosted-service</code></li>
</ul>
<p>
This parameter returns only the CVE records that include the provided <code>cveTag</code>.
</p>
<div id="cves-cveTags-request" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE records that have the disputed CVE Tag</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cveTag=disputed</code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-cvssV2Metrics"><span class="paramName">cvssV2Metrics <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>{CVSSv2 vector string}</code></li>
</ul>
<p>
This parameter returns only the CVEs that match the provided <code>{CVSSv2 vector string}</code>.
Either full or partial vector strings may be used. This parameter cannot be used in requests
that include <code>cvssV3Metrics</code> or <code>cvssv4Metrics</code>.
</p>
<p>
Please note, as of July 2022, the NVD no longer generates new information
for CVSS v2. Existing CVSS v2 information will remain in the database but
the NVD will no longer actively populate CVSS v2 for new CVEs. NVD analysts
will continue to use the reference information provided with the CVE and
any publicly available information at the time of analysis to associate
Reference Tags, information related to CVSS v3.1, CWE, and CPE Applicability
statements.
</p>
<div id="cves-cvssV2Metrics-request-1" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE matching the CVSSv2 vector string</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cvssV2Metrics=AV:N/AC:H/Au:N/C:C/I:C/A:C </code></pre>
</div>
<br>
<div id="cves-cvssV2Metrics-request-2" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">An example of a valid request for which there exists no vulnerabilities</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cvssV2Metrics=AV:L/AC:H/Au:M/C:N/I:N/A:N </code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-cvssV2Severity"><span class="paramName">cvssV2Severity <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>LOW</code></li>
<li><code>MEDIUM</code></li>
<li><code>HIGH</code></li>
</ul>
<p>
This parameter returns only the CVEs that match the provided CVSSv2 qualitative severity rating.
This parameter cannot be used in requests that include <code>cvssV3Severity</code> or <code>cvssv4Severity</code>.
</p>
<p>
Please note, as of July 2022, the NVD no longer generates new information
for CVSS v2. Existing CVSS v2 information will remain in the database but
the NVD will no longer actively populate CVSS v2 for new CVEs. NVD analysts
will continue to use the reference information provided with the CVE and
any publicly available information at the time of analysis to associate
Reference Tags, information related to CVSS v3.1, CWE, and CPE Applicability
statements.
</p>
<div id="cves-cvssV2Severity-request-1" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE matching the CVSSv2 qualitative severity rating of LOW </div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cvssV2Severity=LOW </code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-cvssV3Metrics"><span class="paramName">cvssV3Metrics <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>{CVSSv3 vector string}</code></li>
</ul>
<p>
This parameter returns only the CVEs that match the provided <code>{CVSSv3 vector string}</code>.
Either full or partial vector strings may be used. This parameter cannot be used in requests
that include <code>cvssV2Metrics</code> or <code>cvssv4Metrics</code>.
</p>
<div id="cves-cvssV3Metrics-request-1" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE matching the CVSSv3 vector string </div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cvssV3Metrics=AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L </code></pre>
</div>
<br>
<div id="cves-cvssV3Metrics-request-2" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">An example of a valid request for which there exists no vulnerabilities </div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cvssV3Metrics=AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H </code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-cvssV3Severity"><span class="paramName">cvssV3Severity <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>LOW</code></li>
<li><code>MEDIUM</code></li>
<li><code>HIGH</code></li>
<li><code>CRITICAL</code></li>
</ul>
<p>
This parameter returns only the CVEs that match the provided CVSSv3 qualitative severity rating.
This parameter cannot be used in requests that include <code>cvssV2Severity</code> or <code>cvssv4Severity</code>. <br />
Note: The NVD will not contain CVSS v3 vector strings with a severity of <code>NONE</code>. This is why that severity is not an included option.
</p>
<div id="cves-cvssV3Severity-request-1" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE matching the CVSSv3 qualitative severity rating of LOW </div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cvssV3Severity=LOW </code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-cvssV4Metrics"><span class="paramName">cvssV4Metrics <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>{CVSSv4 vector string}</code></li>
</ul>
<p>
This parameter returns only the CVEs that match the provided <code>{CVSSv4 vector string}</code>.
Either full or partial vector strings may be used. This parameter cannot be used in requests
that include <code>cvssV2Metrics</code> or <code>cvssV3Severity</code>.
</p>
<div id="cves-cvssV4Metrics-request-1" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">An example of a valid request for which there exists no vulnerabilities </div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cvssV4Metrics=AV:A/AC:H/PR:H/UI:N</code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-cvssV4Severity"><span class="paramName">cvssV4Severity <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>LOW</code></li>
<li><code>MEDIUM</code></li>
<li><code>HIGH</code></li>
<li><code>CRITICAL</code></li>
</ul>
<p>
This parameter returns only the CVEs that match the provided CVSSv4 qualitative severity rating.
This parameter cannot be used in requests that include <code>cvssV2Severity</code> or <code>cvssV3Severity</code>. <br />
Note: The NVD enrichment data will not contain CVSS v4 vector strings with a severity of <code>NONE</code>. This is why that severity is not an included option.
</p>
<div id="cves-cvssV4Severity-request-1" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE matching the CVSSv4 qualitative severity rating of HIGH </div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cvssV4Severity=HIGH </code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-cweId"><span class="paramName">cweId <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>{CWE-ID}</code></li>
</ul>
<p>
This parameter returns only the CVE that include a weakness identified by
<a href="https://cwe.mitre.org/data/definitions/1000.html">Common Weakness Enumeration</a>
using the provided <code>{CWE-ID}</code>. <br />
Note: The NVD also makes use of two placeholder CWE-ID values <code>NVD-CWE-Other</code> and <code>NVD-CWE-noinfo</code> which can also be used.
</p>
<div id="cves-cweId-request" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE that include Improper Authentication </div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cweId=CWE-287 </code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-hasCertAlerts"><span class="paramName">hasCertAlerts <span class="paramOptional">optional</span></span></a>
<p>
This parameter returns the CVE that contain a Technical Alert from
US-CERT. Please note, this parameter is provided without a parameter value.
</p>
<div id="cves-hasCertAlerts-request" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE containing a Technical Alert </div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?hasCertAlerts </code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-hasCertNotes"><span class="paramName">hasCertNotes <span class="paramOptional">optional</span></span></a>
<p>
This parameter returns the CVE that contain a Vulnerability Note from
CERT/CC. Please note, this parameter is provided without a parameter value.
</p>
<div id="cves-hasCertNotes-request" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE containing a Vulnerability Note from CERT/CC </div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?hasCertNotes </code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-hasKev"><span class="paramName">hasKev <span class="paramOptional">optional</span></span></a>
<p>
This parameter returns the CVE that appear in CISA's
<a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">Known Exploited Vulnerabilities</a>
(KEV) Catalog. Please note, this parameter is provided without a parameter value.
</p>
<div id="cves-hasKev-request" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE that appear in the KEV catalog </div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?hasKev </code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-hasOval"><span class="paramName">hasOval <span class="paramOptional">optional</span></span></a>
<p>
This parameter returns the CVE that contain information from MITRE's
<a href="https://oval.mitre.org/inuse/">Open Vulnerability and Assessment Language</a>
(OVAL) before this transitioned to the Center for Internet Security (CIS). Please note,
this parameter is provided without a parameter value.
</p>
<div id="cves-hasOval-request" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE containing an OVAL record </div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?hasOval </code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-isVulnerable"><span class="paramName">isVulnerable <span class="paramOptional">optional</span></span></a>
<p>
This parameter returns only CVE associated with a specific CPE,
where the CPE is also considered vulnerable. The exact value provided
with <code>cpeName</code> is compared against the CPE Match Criteria
within a CVE applicability statement. If the value of <code>cpeName</code>
is considered to match, and is also considered vulnerable the CVE is included
in the results.
</p>
<p>
If filtering by <code>isVulnerable</code>, <code>cpeName</code>
is <span class="paramRequired">required</span>. Please note,
<code>virtualMatchString</code> is not accepted in requests
that use <code>isVulnerable</code>.
</p>
<div id="cves-isVulnerable-request" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE associated a specific CPE and are marked as vulnerable </div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:o:microsoft:windows_10:1607&isVulnerable </code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-keywordExactMatch"><span class="paramName">keywordExactMatch <span class="paramOptional">optional</span></span></a>
<p>
By default, <code>keywordSearch</code> returns any CVE where a word or phrase
is found in the current description.
</p>
<p>
If the value of <code>keywordSearch</code> is a phrase, i.e., contains more than
one term, including <code>keywordExactMatch</code> returns only the CVEs matching
the phrase exactly. Otherwise, the results will contain records having any of the
terms. If filtering by <code>keywordExactMatch</code>, <code>keywordSearch</code>
is <span class="paramRequired">required</span>.
Please note, this parameter is provided without a parameter value.
</p>
<div id= cves-keywordExactMatch-request-1 class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE mentioning the exact phrase "Microsoft Outlook"</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=Microsoft Outlook&keywordExactMatch</code></pre>
</div>
<P>
Please note, the example above would not return a CVE unless the exact phrase
"Microsoft Outlook" appears in the current description.
</P>
</td>
</tr>
<tr>
<td>
<a id="cves-keywordSearch"><span class="paramName">keywordSearch <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>{keyword(s)}</code></li>
</ul><p>
This parameter returns only the CVEs where a word or phrase is found in the
current description. Descriptions associated with CVE are maintained by the
CVE Assignment Team through coordination with CVE Numbering
Authorities (CNAs). The NVD has no control over CVE descriptions.
</p>
<p>
Please note, empty spaces in the URL should be encoded in the request as "%20".
The user agent may handle this encoding automatically. Multiple <code>{keywords}</code>
function like an 'AND' statement. This returns results where all keywords exist
somewhere in the current description, though not necessarily together. Keyword search
operates as though a wildcard is placed after each keyword provided. For example, providing
"circle" will return results such as "circles" but not "encircle".
</p>
<div id= cves-keywordSearch-request-1 class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request any CVE mentioning "Microsoft"</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=Microsoft </code></pre>
</div>
<br>
<div id= cves-keywordSearch-request-2 class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request any CVE mentioning "Windows", "MacOs", and "Debian"</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=Windows MacOs Linux </code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-lastModDates"><span class="paramName">lastModStartDate & lastModEndDate <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>{start date}</code></li>
<li><code>{end date}</code></li>
</ul>
<p>
These parameters return only the CVEs that were last
modified during the specified period. If a CVE has been modified
more recently than the specified period, it will not be included
in the response. If filtering by the last modified date, both
<code>lastModStartDate</code> and <code>lastModEndDate</code> are <span class="paramRequired">required</span>.
The maximum allowable range when using any date range parameters
is 120 consecutive days.
</p>
<p>
A CVE's <span class="json-obj">lastModified</span> changes when any of the follow actions occur:
</p>
<ol>
<li>The NVD publishes the new CVE record</li>
<li><a href="/vuln/vulnerability-status#divNvdStatus">The NVD changes the status of a published CVE record after it has been analyzed</a></li>
<li>A source (CVE Primary CNA or another CNA) modifies a published CVE record</li>
</ol>
<p>
A CVE's <span class="json-obj">lastModified</span> does not change when any of the follow actions occur:
</p>
<ol>
<li><a href="/vuln/vulnerability-status#divNvdStatus">The NVD changes the status of a newly published CVE record to "Undergoing Analysis"</a></li>
<li>The NVD modifies a CPE record previously associated with the CVE record</li>
</ol>
<p>
Values must be entered in the extended ISO-8601 date/time format:
</p>
<code>[YYYY][“-”][MM][“-”][DD][“T”][HH][“:”][MM][“:”][SS][Z]</code>
<p>
The "T" is a literal to separate the date from the time. The Z indicates
an optional offset-from-UTC. Please note, if a positive Z value is used
(such as +01:00 for Central European Time) then the "+" should be encoded
in the request as "%2B". The user agent may handle this encoding automatically.
</p>
<div id= cves-lastModDates-request class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE records modified between the start and end datetimes</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0/?lastModStartDate=2021-08-04T13:00:00.000%2B01:00&lastModEndDate=2021-10-22T13:36:00.000%2B01:00</code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-noRejected"><span class="paramName">noRejected <span class="paramOptional">optional</span></span></a>
<p>
By default, the CVE API includes CVE records with the REJECT or Rejected status.
This parameter excludes CVE records with the REJECT or Rejected status from API response.
Please note, this parameter is provided without a parameter value.
</p>
<div id="cves-noRejected-request" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE without the REJECT or Rejected status</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?noRejected </code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-pubDates"><span class="paramName">pubStartDate & pubEndDate <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>{start date}</code></li>
<li><code>{end date}</code></li>
</ul>
<p>
These parameters return only the CVEs that were added to the NVD
(i.e., published) during the specified period. If filtering by
the published date, both
<code>pubStartDate</code> and <code>pubEndDate</code> are <span class="paramRequired">required</span>.
The maximum allowable range when using any date range parameters
is 120 consecutive days.
</p>
<p>
Values must be entered in the extended ISO-8601 date/time format:
</p>
<code>[YYYY][“-”][MM][“-”][DD][“T”][HH][“:”][MM][“:”][SS][Z]</code>
<p>
The "T" is a literal to separate the date from the time. The Z indicates
an optional offset-from-UTC. Please note, if a positive Z value is used
(such as +01:00 for Central European Time) then the "+" should be encoded
in the request as "%2B". The user agent may handle this encoding automatically.
</p>
<div id= cves-pubDates-request-1 class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE published between the start and end dates, defaulting to GMT</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0/?pubStartDate=2021-08-04T00:00:00.000&pubEndDate=2021-10-22T00:00:00.000</code></pre>
</div>
<br>
<div id= cves-pubDates-request-2 class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE published between the start and end datetimes</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0/?pubStartDate=2020-01-01T00:00:00.000-05:00&pubEndDate=2020-01-14T23:59:59.999-05:00</code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-resultsPerPage"><span class="paramName">resultsPerPage <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>{page limit}</code></li>
</ul>
<p>
This parameter specifies the maximum number of CVE records to be returned
in a single API response. For network considerations, the default value and maximum
allowable limit is <span id="apiResultsPerPageCve">2,000</span>.
</p>
<p>
It is recommended that users of the CVE API use the default <code>resultsPerPage</code> value.
This value has been optimized to allow the greatest number of results over the fewest number of requests.
</p>
</td>
</tr>
<tr>
<td>
<a id="cves-startIndex"><span class="paramName">startIndex <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>{offset}</code></li>
</ul>
<p>
This parameter specifies the index of the first CVE to be returned in
the response data. The index is zero-based, meaning the first CVE
is at index zero.
</p>
<p>
The CVE API returns four primary objects in the response body that are
used for pagination:
<span class="json-obj">resultsPerPage</span>, <span class="json-obj">startIndex</span>, <span class="json-obj">totalResults</span>,
and <span class="json-obj">vulnerabilities</span>. <span class="json-obj">totalResults</span> indicates the
total number of CVE records that match the request parameters.
If the value of <span class="json-obj">totalResults</span> is greater than the value of <span class="json-obj">resultsPerPage</span>,
there are more records than could be returned by a single API
response and additional requests must update the <code>startIndex</code>
to get the remaining records.
</p>
<p>
The best, most efficient, practice for keeping up to date with
the NVD is to use the date range parameters to request
only the CVEs that have been modified since your last request.
</p>
<div id= cves-startIndex-request-1 class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request 20 CVE records, beginning at index 0 and ending at index 19</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0/?resultsPerPage=20&startIndex=0</code></pre>
</div>
<br>
<div id= cves-startIndex-request-2 class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request the CVE records, beginning at index 20 and ending at index 39</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0/?resultsPerPage=20&startIndex=20</code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-sourceIdentifier"><span class="paramName">sourceIdentifier <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>{sourceIdentifier}</code></li>
</ul>
<p>
This parameter returns CVE where the exact value of <code>{sourceIdentifier}</code>
appears as a data source in the CVE record. The CVE API returns <code>{sourceIdentifier}</code>
values within the <span class="json-obj">descriptions</span> object.
The <a href="/developers/data-sources">Source API</a> returns detailed information
on the organizations that provide the data contained in the NVD dataset, including every valid
<code>{sourceIdentifier}</code> value.
</p>
<div id= cves-sourceIdentifier-request class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE with the data source "cve@mitre.org"</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?sourceIdentifier=cve@mitre.org</code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-versionEnd"><span class="paramName">versionEnd & versionEndType <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>{ending version}</code></li>
</ul>
<ul>
<li><code>including</code></li>
<li><code>excluding</code></li>
</ul>
<p>
The <code>virtualMatchString</code> parameter may be combined with <code>versionEnd</code> and <code>versionEndType</code>
to return only the CVEs associated with CPEs in specific version ranges.
</p>
<p>
If filtering by the ending version, <code>versionEnd</code>, <code>versionEndType</code>, and <code>virtualMatchString</code>
are <span class="paramRequired">required</span>.
Requests that include <code>versionEnd</code> cannot include a version component in the <code>virtualMatchString</code>.
</p>
<div id="cves-versionEnd-request" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE affiliated with version 2.6 of a specific CPE </div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?virtualMatchString=cpe:2.3:o:linux:linux_kernel&versionStart=2.6&versionStartType=including&versionEnd=2.7&versionEndType=excluding</code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-versionStart"><span class="paramName">versionStart & versionStartType <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>{starting version}</code></li>
</ul>
<ul>
<li><code>including</code></li>
<li><code>excluding</code></li>
</ul>
<p>
The <code>virtualMatchString</code> parameter may be combined with <code>versionStart</code> and <code>versionStartType</code>
to return only the CVEs associated with CPEs in specific version ranges.
</p>
<p>
If filtering by the starting version, <code>versionStart</code>, <code>versionStartType</code>, and <code>virtualMatchString</code>
are <span class="paramRequired">required</span>.
Requests that include <code>versionStart</code> cannot include a version component in the <code>virtualMatchString</code>.
</p>
<div id="cves-versionStart-request" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE affiliated with versions 2.2 through 2.5.x of a specific CPE </div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?virtualMatchString=cpe:2.3:o:linux:linux_kernel&versionStart=2.2&versionStartType=including&versionEnd=2.6&versionEndType=excluding</code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-virtualMatchString"><span class="paramName">virtualMatchString <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>{cpe match string}</code></li>
</ul>
<p>
This parameter filters CVE more broadly than <code>cpeName</code>.
The exact value of <code>{cpe match string}</code> is compared against the CPE Match Criteria
present on CVE applicability statements.
</p>
<p>
CPE Match Criteria comes in two forms: CPE Match Strings and CPE Match String Ranges.
Both are abstract concepts that are then correlated to CPE URIs in the Official CPE
Dictionary. Unlike a CPE Name, match strings and match string ranges do not require
a value in the part, vendor, product, or version components. The CVE API returns
CPE Match Criteria within the <span class="json-obj">configurations</span> object.
</p>
<p>
CPE Match String Ranges are only supported for the version component and only when
<code>virtualMatchString</code> is combined with
<code>versionStart</code>, <code>versionStartType</code>, and/or <code>versionEnd</code>, both <code>versionEndType</code>.
</p>
<p>
<code>cpeName</code> is a simpler alternative for many use cases. When both <code>cpeName</code>
and <code>virtualMatchString</code> are provided, only the <code>cpeName</code> is used.
</p>
<div id= cves-virtualMatchString-request class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE where the associated CPE's language component denotes the German language version of a product.</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?virtualMatchString=cpe:2.3:*:*:*:*:*:*:de</code></pre>
</div>
</td>
</tr>
</table>
</div>
<h4 title="Click to expand or collapse">
<a id="toggleCvesResponseBody"
onclick="toggleMoreCode('divCvesResponseBody', 'iconCvesResponseBody')">
<span class="fa fa-plus" id="iconCvesResponseBody"></span>
Response
</a>
</h4>
<div id="divCvesResponseBody" class="row" style="display: none">
<h5>CVE API JSON Schema</h5>
<p>
The API response may contain up to four JSON schema that define the structure of the response data.
Each of the documents below describe a different aspect of the response but all include information
on data types, regex patterns, maximum character length, and other information that can support
developers and database administrators looking to create their own local repository.
</p>
<ul style="list-style: none">
<li><a href="https://csrc.nist.gov/schema/nvd/api/2.0/cve_api_json_2.0.schema" class=schema-link>CVE API Schema</a></li>
<li><a href="https://csrc.nist.gov/schema/nvd/api/2.0/external/cvss-v3.1.json" class=schema-link>CVSSv3.1 Schema</a></li>
<li><a href="https://csrc.nist.gov/schema/nvd/api/2.0/external/cvss-v3.0.json" class=schema-link>CVSSv3.0 Schema</a></li>
<li><a href="https://csrc.nist.gov/schema/nvd/api/2.0/external/cvss-v2.0.json" class=schema-link>CVSSv2.0 Schema</a></li>
</ul>
<h5>Response Details</h5>
<p>
The CVE API returns seven primary objects in the body of the response:
<span class="json-obj">resultsPerPage</span>, <span class="json-obj">startIndex</span>,
<span class="json-obj">totalResults</span>, <span class="json-obj">format</span>,
<span class="json-obj">version</span>, <span class="json-obj">timestamp</span>,
and <span class="json-obj">vulnerabilities</span>.
<p>
<p>
The <span class="json-obj">totalResults</span> object indicates the number of CVE that
match the request criteria, including all parameters. If the value of
<span class="json-obj">totalResults</span> is greater than the value of
<span class="json-obj">resultsPerPage</span>, then additional requests are necessary to
return the remaining CVE. The parameter <span class="json-obj">startIndex</span> may be
used in subsequent requests to identify the starting point for the next request. More
information and the best practices for using <span class="json-obj">resultsPerPage</span>
and <span class="json-obj">startIndex</span> are described above.
</p>
<p>
The <span class="json-obj">format</span> and <span class="json-obj">version</span> objects
identify the format and version of the API response. <span class="json-obj">timestamp</span>
identifies when the response was generated.
</p>
<p>
The <span class="json-obj">vulnerabilities</span> object contains an array of objects equal
to the number of CVE returned in the response and is sorted in ascending order by the
<span class="json-obj">published</span> property of the <span class="json-obj">cve</span> object.
The <span class="json-obj">cve</span> object is explained in more detail below.
</p>
<p>
JSON response objects are either optional or required. Required response objects are always returned
by the API and may contain fields without data. Optional response objects are only returned when
they contain data. For example, the <span class="json-obj">cvssMetricV3</span> object is optional.
CVSSv3.0 was released in 2016, thus most CVE published before 2016 do not include the
<span class="json-obj">cvssMetricV3</span> object. The exception are CVE published before 2016 that
were later reanalyzed or modified. These CVE may have been updated to include CVSSv3 information.
If the CVE was updated in this way, the API response would include this optional information.
</p>
<h5 style="font-family:'Roboto Mono Web','Bitstream Vera Sans Mono','Consolas','Courier','monospace'" id="cves-response-cve">cve <span class="paramRequired"> required</span> </h5>
<p>
This object always contains the CVE-ID, <span class="json-obj">sourceIdentifier</span> an identifier for the source of the CVE,
<span class="json-obj">published</span> the date and time that the CVE was published to the NVD,
<span class="json-obj">lastModified</span> the date and time that the CVE was last modified, and
<span class="json-obj">vulnStatus</span> the CVE's <a href="/vuln/vulnerability-status#divNvdStatus">status in the NVD</a>.
</p>
<p>
This object also contains seven <strong>optional</strong> fields. The
<span class="json-obj">evaluatorComment</span>, <span class="json-obj">evaluatorImpact</span>,
and <span class="json-obj">evaluatorSolution</span> provide additional context to help understand
the vulnerability or its analysis. If the CVE is listed in CISA's Known Exploited Vulnerabilities (KEV)
Catalog <span class="json-obj">cisaExploitAdd</span>, <span class="json-obj">cisaActionDue</span>,
<span class="json-obj">cisaRequiredAction</span>, and <span class="json-obj">cisaVulnerabilityName</span>
will be returned. The <span class="json-obj">cisaActionDue</span>
object indicates the date by which all federal civilian executive branch (FCEB) agencies are required
to complete the <span class="json-obj">cisaRequiredAction</span> under Binding Operational Directive
(BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities. Although not bound
by BOD 22-01, every organization, including those in state, local, tribal, and territorial (SLTT)
governments and private industry can significantly strengthen their security and resilience posture
by prioritizing the remediation of the vulnerabilities listed in the KEV catalog as well.
</p>
<p>
This object may also contain up to seven objects with additional nested information.
The <span class="json-obj">cveTags</span>, <span class="json-obj">description</span>,
<span class="json-obj">metrics</span>, <span class="json-obj">weaknesses</span>,
<span class="json-obj">configurations</span>, <span class="json-obj">references</span>,
and <span class="json-obj">vendorComments</span> objects are explained in more detail below.
</p>
<table class="table">
<tr>
<td>
<a id="cves-response-cves-cvetags"><span class="paramName"> cveTags <span class="paramRequired">optional</span></span></a>
<p>
This object contains one or more tags that provide contextual information about the CVE.
</p>
<p>
<span class="json-obj">source</span> identifies the organization
that provided the CVE Tag information and <span class="json-obj">tags</span>
identifies each relevant CVE Tag.
</p>
<button onclick="toggleMoreCode('jsonWindowCvesCveTags')">Toggle JSON</button>
<div id="jsonWindowCvesCveTags" class="example-response" style="display: none;">
<pre class="contentSection-pre"><code>
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
</code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-response-cves-descriptions"><span class="paramName"> descriptions <span class="paramRequired">required</span></span></a>
<p>
This object contains a description of the CVE in one or more languages.
ISO 639-1:2002's two-letter language identifiers indicate the language
of the description. Spanish language translations are provided by the
<a href="https://www.incibe.es/en">Spanish National Cybersecurity Institute</a>
(INCIBE).
</p>
<button onclick="toggleMoreCode('jsonWindowCvesDescriptions')">Toggle JSON</button>
<div id="jsonWindowCvesDescriptions" class="example-response" style="display: none;">
<pre class="contentSection-pre"><code>
"descriptions": [
{
"lang": "en",
"value": "The debug command in Sendmail is enabled, allowing attackers to execute commands as root."
},
{
"lang": "es",
"value": "El comando de depuración de Sendmail está activado, permitiendo a atacantes ejecutar comandos como root."
}
],
</code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-response-cve-metrics"><span class="paramName"> metrics <span class="paramOptional">optional</span></span></a>
<p>
This object contains information on the CVE's impact. If the CVE has been
analyzed, this object will contain any CVSSv2 or CVSSv3 information associated
with the vulnerability.
</p>
<p>
<span class="json-obj">source</span> identifies the organization
that provided the metrics information and <span class="json-obj">type</span>
identifies whether the organization is a primary or secondary source. Primary
sources include the NVD and CNA who have reached the provider level in CVMAP.
10% of provider level submissions are audited by the NVD. If a submission has
been audited the NVD will appear as the primary source and the provider level
CNA will appear as the secondary source.
</p>
<button onclick="toggleMoreCode('jsonWindowCveMetrics')">Toggle JSON</button>
<div id="jsonWindowCveMetrics" class="example-response" style="display: none;">
<pre class="contentSection-pre"><code>
"metrics": {
"cvssMetricV2": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authentication": "NONE",
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0
},
"baseSeverity": "HIGH",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"acInsufInfo": false,
"obtainAllPrivilege": true,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
}
]
},
</code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-response-cves-weaknesses"><span class="paramName"> weaknesses <span class="paramOptional">optional</span></span></a>
<p>
This object contains information on <a href="/vuln/categories">specific weaknesses</a>,
considered the cause of the vulnerability. Please note, a CVE that is Awaiting
Analysis, Undergoing Analysis, or Rejected may not include the weaknesses
object.
</p>
<p>
<span class="json-obj">source</span> identifies the organization
that provided the weakness information and <span class="json-obj">type</span>
identifies whether the organization is a primary or secondary source. Primary
sources include the NVD and CNA who have reached the provider level in CVMAP.
10% of provider level submissions are audited by the NVD. If a submission has
been audited the NVD will appear as the primary source and the provider level
CNA will appear as the secondary source.
</p>
<button onclick="toggleMoreCode('jsonWindowCvesWeaknesses')">Toggle JSON</button>
<div id="jsonWindowCvesWeaknesses" class="example-response" style="display: none;">
<pre class="contentSection-pre"><code>
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
]
}
],
</pre></code>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-response-cve-configurations"><span class="paramName"> configurations <span class="paramOptional">optional</span></span></a>
<p>
This object contains the CVE applicability statements that convey which product, or
products, are associated with the vulnerability according to the NVD analysis. Please
note, a CVE that is Awaiting Analysis, Undergoing Analysis, or Rejected will not
include the configurations object.
</p>
<p>
Like the JSON response, <span class="json-obj">configurations</span> are a hierarchical
data structure that always contain one or more CPE match strings.
Each object within <span class="json-obj">configurations</span> includes either
an OR- or an AND-operator (and in rare cases a NEGATE flag) to covey the logical
relationship of the CPE or child objects within. For example, if the vulnerability
exists only when both CPE products are present, the operator is “AND”. If the
vulnerability exists if either CPE is present, then the operator is “OR”.
</p>
<p>
The <span class="json-obj">cpeMatch</span> object contains the CPE Match Criteria,
the criteria's unique identifier, and a statement of whether the criteria is vulnerable.
The <span class="json-obj">matchCriteriaId</span>'s corresponding <code>{uuid}</code>
may be used with either the
<a href="/developers/products#cpematch-matchCriteriaId">Match Criteria API's matchCriteriaId</a>
or the
<a href="/developers/products#cpes-matchCriteriaId">CPE API's matchCriteriaId</a>
parameters.
<p>
<button onclick="toggleMoreCode('jsonWindowCvesConfigurations')">Toggle JSON</button>
<div id="jsonWindowCvesConfigurations" class="example-response" style="display: none;">
<pre class="contentSection-pre"><code>
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:eric_allman:sendmail:5.58:*:*:*:*:*:*:*",
"matchCriteriaId": "1D07F493-9C8D-44A4-8652-F28B46CBA27C"
}
]
}
]
}
],
</code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-response-cves-references"><span class="paramName"> references <span class="paramRequired">required</span></span></a>
<p>
This object contains supplemental information relevant to the vulnerability,
and may include details that are not present in the CVE Description.
Each reference within this object provides one or more resource tags (e.g.,
third-party advisory, vendor advisory, technical paper, press/media, VDB entries).
Resource tags are designed to categorize the type of information each reference contains.
</p>
<p>
<span class="json-obj">source</span> identifies the organization
that provided the reference information and <span class="json-obj">type</span>
identifies whether the organization is a primary or secondary source. Primary
sources include the NVD and CNA who have reached the provider level in CVMAP.
10% of provider level submissions are audited by the NVD. If a submission has
been audited, the NVD will appear as the primary source and the provider level
CNA will appear as the secondary source.
</p>
<button onclick="toggleMoreCode('jsonWindowCvesReferences')">Toggle JSON</button>
<div id="jsonWindowCvesReferences" class="example-response" style="display: none;">
<pre class="contentSection-pre"><code>
"references": [
{
"url": "http://seclists.org/fulldisclosure/2019/Jun/16",
"source": "security@netgear.com"
},
{
"url": "http://www.openwall.com/lists/oss-security/2019/06/05/4",
"source": "security@netgear.com"
},
{
"url": "http://www.openwall.com/lists/oss-security/2019/06/06/1",
"source": "security@netgear.com"
},
{
"url": "http://www.securityfocus.com/bid/1",
"source": "security@netgear.com"
}
]
</code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cves-response-cves-vendorComments"><span class="paramName"> vendorComments <span class="paramOptional">optional</span></span></a>
<p>
This object contains any Official Vendor Comment for the CVE. NVD provides a service
whereby organizations can submit Official Vendor Comments for
CVE associated with their products. Organizations can use the service in a
variety of ways. For example, they can provide configuration and remediation
guidance, clarify vulnerability applicability, provide deeper vulnerability analysis,
dispute third party vulnerability information, and explain vulnerability impact.
Official Vendor Comments can be submitted to the NVD by email at
<a href="mailto:nvd@nist.gov">nvd@nist.gov</a>.
More information is provided on the
<a href="/vuln/vendor-comments">vendor comments</a> page.
</p>
<button onclick="toggleMoreCode('jsonWindowCvesVendorComments')">Toggle JSON</button>
<div id="jsonWindowCvesVendorComments" class="example-response" style="display: none;">
<pre class="contentSection-pre"><code>
"vendorComments": [
{
"organization": "Red Hat",
"comment": "Not vulnerable. This issue did not affect the versions of the util-linux packages (providing /bin/login), as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5.",
"lastModified": "2008-12-18T00:00:00"
}
]
</code></pre>
</div>
</td>
</tr>
</table>
</div>
<div id="divGetCveHistory" class="row">
<h3>CVE Change History API</h3>
<p>
The CVE Change History API is used to easily retrieve information on changes made
to a single CVE or a collection of CVE from the NVD. This API provides additional
transparency to the work of the NVD, allowing users to easily monitor when and
why vulnerabilities change.
</p>
<p>
The NVD has existed in some form
<a href="/general/brief-history">since 1999</a>
and the fidelity of this information has changed several times over the decades.
Earlier records may not contain the level of detail available with more recent CVE records.
This is most apparent on CVE records prior to 2015.
</p>
<p>
The URL stem for retrieving CVE information is shown below.
</p>
</div>
<div id= cveHistoryBase class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Base URL</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cvehistory/2.0</code></pre>
</div>
<h4 title="Click to expand or collapse">
<a id="toggleGetCveHistoryParameters"
onclick="toggleMoreCode('divGetCveHistoryParameters', 'iconCveHistoryParams')">
<span class="fa fa-plus" id="iconCveHistoryParams"></span>
Parameters
</a>
</h4>
<div id="divGetCveHistoryParameters" class="row" style="display: none">
<table class="table">
<tr>
<td>
<a id="cveHistory-changeDates"><span class="paramName">changeStartDate & changeEndDate <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>{start date}</code></li>
<li><code>{end date}</code></li>
</ul>
<p>
These parameters return any CVE that changed during the
specified period. Please note, this is different from
the last modified date parameters used with other APIs.
If filtering by the change date, both
<code>changeStartDate</code> and <code>changeEndDate</code> are <span class="paramRequired">required</span>.
The maximum allowable range when using any date range parameters
is 120 consecutive days.
</p>
<p>
Values must be entered in the extended ISO-8601 date/time format:
</p>
<code>[YYYY][“-”][MM][“-”][DD][“T”][HH][“:”][MM][“:”][SS][Z]</code>
<p>
The "T" is a literal to separate the date from the time. The Z indicates
an optional offset-from-UTC. Please note, if a positive Z value is used
(such as +01:00 for Central European Time) then the "+" should be encoded
in the request as "%2B". The user agent may handle this encoding automatically.
</p>
<div id= "cveHistory-changeDates-request" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE change histories between the start and end datetimes</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cvehistory/2.0/?changeStartDate=2021-08-04T13:00:00.000%2B01:00&changeEndDate=2021-10-22T13:36:00.000%2B01:00</code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cveHistory-cveId"><span class="paramName">cveId <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>{CVE-ID}</code></li>
</ul>
<p>
This parameter returns the complete change history for a specific vulnerability
identified by its unique Common Vulnerabilities and Exposures identifier
(the CVE ID). <code>cveId</code> will not accept <code>{CVE-ID}</code>
for vulnerabilities not yet published in the NVD.
</p>
<div id="cveHistory-cveId-request" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request the change history for a specific CVE using its CVE-ID</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cvehistory/2.0?cveId=CVE-2019-1010218</code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cveHistory-eventName"><span class="paramName">eventName <span class="paramOptional">optional</span></span></a>
<table id="cveHistory-eventName-values-table" class="inner-table table-hover">
<tbody>
<tr>
<td class="inner-table-value"><ul><li><code>CVE Received</code></li></ul></td>
<td class="inner-table-description"><p>An approved source has published the CVE record
to the CVE List and the NVD has processed the record and any supported data types.
NVD analysis has not yet occurred on the CVE record.
</p></td>
</tr>
<tr>
<td class="inner-table-value"><ul><li><code>Initial Analysis</code></li></ul></td>
<td class="inner-table-description"><p>The NVD performs its initial analysis
to enrich the CVE record with reference tags, CVSS base metrics, CWE,
and CPE applicability statements.</p></td>
</tr>
<tr>
<td class="inner-table-value"><ul><li><code>Reanalysis</code></li></ul></td>
<td class="inner-table-description"><p>The NVD performs further analysis resulting
in some modification to the CVE record.</p></td>
</tr>
<tr>
<td class="inner-table-value"><ul><li><code>CVE Modified</code></li></ul></td>
<td class="inner-table-description"><p>An approved source modifies a CVE record
published in the NVD. The modification's source is identified
on the details page in the event name and in the API response by the value
of the <span class="json-obj">sourceIdentifier</span>.</p></td>
</tr>
<tr>
<td class="inner-table-value"><ul><li><code>Modified Analysis</code></li></ul></td>
<td class="inner-table-description"><p>After an approved source modified a
previously analyzed CVE record, the NVD performs further analysis.
</tr>
<tr>
<td class="inner-table-value"><ul><li><code>CVE Translated</code></li></ul></td>
<td class="inner-table-description"><p>An approved translator provides a
non-English translation for the CVE record.</p></td>
</tr>
<tr>
<td class="inner-table-value"><ul><li><code>Vendor Comment</code></li></ul></td>
<td class="inner-table-description"><p>The NVD updates the CVE record with
additional information from the product vendor.</p></td>
</tr>
<tr>
<td class="inner-table-value"><ul><li><code>CVE Source Update</code></li></ul></td>
<td class="inner-table-description"><p>The NVD updates the information on a source
that contributed to the CVE record.</p></td>
</tr>
<tr>
<td class="inner-table-value"><ul><li><code>CPE Deprecation Remap</code></li></ul></td>
<td class="inner-table-description"><p>The NVD updates the match criteria associated
with the CVE record based on changes to the CPE dictionary. This event occurs separate
from analysis.</p></td>
</tr>
<tr>
<td class="inner-table-value"><ul><li><code>CWE Remap</code></li></ul></td>
<td class="inner-table-description"><p>The NVD updates the weakness associated with
the CVE record. This event occurs separate from analysis.</p></td>
</tr> <tr>
<td class="inner-table-value"><ul><li><code>Reference Tag Update</code></li></ul></td>
<td class="inner-table-description"><p>The NVD updates the Reference Tag of a URL associated
with the CVE record. This event occurs separate from analysis.</p></td>
</tr>
<tr>
<td class="inner-table-value"><ul><li><code>CVE Rejected</code></li></ul></td>
<td class="inner-table-description"><p>An approved source rejects a CVE record.
Rejections occurs for one or more reasons, including duplicate CVE entries,
withdraw by the original requester, incorrect assignment, or some other
administrative reason.</p></td>
</tr>
<tr>
<td class="inner-table-value"><ul><li><code>CVE Unrejected</code></li></ul></td>
<td class="inner-table-description"><p>An approved source re-published a CVE record
previously marked rejected.</p></td>
</tr>
<tr>
<td class="inner-table-value"><ul><li><code>CVE CISA KEV Update</code></li></ul></td>
<td class="inner-table-description"><p>An update to CISA KEV information was performed for an associated CVE.
</p></td>
</tr>
</tbody>
</table>
<p>
This parameter returns all CVE associated with a specific
type of change event.
Please note, each request can contain only one value for the
<code>eventName</code> parameter. Empty spaces in the URL
should be encoded in the request as "%20". The user agent may
handle this encoding automatically.
</p>
<div id="cveHistory-eventName-request" class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request all CVE that were rejected in the specified time frame</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cvehistory/2.0?eventName=CVE%20Rejected&changeStartDate=2021-08-04T13:00:00.000%2B01:00&changeEndDate=2021-10-22T13:36:00.000%2B01:00</code></pre>
</div>
</td>
</tr>
<tr>
<td>
<a id="cveHistory-resultsPerPage"><span class="paramName">resultsPerPage <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>{page limit}</code></li>
</ul>
<p>
This parameter specifies the maximum number of change events to be returned
in a single API response. For network considerations, the default value and maximum
allowable limit is <span id="apiResultsPerPageHistory">5,000</span>.
</p>
</td>
</tr>
<tr>
<td>
<a id="cveHistory-startIndex"><span class="paramName">startIndex <span class="paramOptional">optional</span></span></a>
<ul>
<li><code>{offset}</code></li>
</ul>
<p>
This parameter specifies the index of the first change events to be returned in
the response data. The index is zero-based, meaning the first change events
is at index zero.
</p>
<p>
The CVE Change History API returns four primary objects in the response body that are
used for pagination:
<span class="json-obj">resultsPerPage</span>, <span class="json-obj">startIndex</span>, <span class="json-obj">totalResults</span>,
and <span class="json-obj">cveChanges</span>. <span class="json-obj">totalResults</span> indicates the
total number of change events that match the request parameters.
If the value of <span class="json-obj">totalResults</span> is greater than the value of <span class="json-obj">resultsPerPage</span>,
there are more events than could be returned by a single API
response and additional requests must update the <code>startIndex</code>
to get the remaining events.
</p>
<div id= cveHistory-startIndex-request class="example-request">
<div class="example-request-topbar">
<div class="example-request-title">Request 20 change events, beginning at index 0 and ending at index 19</div>
</div>
<pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cvehistory/2.0/?resultsPerPage=20&startIndex=0</code></pre>
</div>
</td>
</tr>
</table>
</div>
<h4 title="Click to expand or collapse">
<a id="toggleCveHistoryResponseBody"
onclick="toggleMoreCode('divCveHistoryResponseBody', 'iconCveHistoryResponseBody')">
<span class="fa fa-plus" id="iconCveHistoryResponseBody"></span>
Response
</a>
</h4>
<div id="divCveHistoryResponseBody" class="row" style="display: none">
<h5>CVE Change History API JSON Schema</h5>
<p>
This API response includes only one JSON schema for defining the structure of the response data.
The following document includes information
on data types, regex patterns, maximum character length, and similar information that can support
developers and database administrators looking to create their own local repository.
</p>
<ul style="list-style: none">
<li><a href="https://csrc.nist.gov/schema/nvd/api/2.0/cve_history_api_json_2.0.schema" class=schema-link>CVE Change History API Schema</a></li>
</ul>
<h5>Response Details</h5>
<p>
The CVE Change History API returns seven primary objects in the body of the response:
<span class="json-obj">resultsPerPage</span>, <span class="json-obj">startIndex</span>,
<span class="json-obj">totalResults</span>, <span class="json-obj">format</span>,
<span class="json-obj">version</span>, <span class="json-obj">timestamp</span>,
and <span class="json-obj">cveChanges</span>.
</p>
<p>
The <span class="json-obj">totalResults</span> object indicates the number of change events
that match the request, including all parameters. If the value of
<span class="json-obj">totalResults</span> is greater than the value of
<span class="json-obj">resultsPerPage</span>, then additional requests are necessary to
return the remaining records. The parameter <span class="json-obj">startIndex</span> may be
used in subsequent requests to identify the starting point for the next request. More
information and the best practices for using <span class="json-obj">resultsPerPage</span>
and <span class="json-obj">startIndex</span> are described above.
</p>
<p>
The <span class="json-obj">format</span> and <span class="json-obj">version</span> objects
identify the format and version of the API response. <span class="json-obj">timestamp</span>
identifies when the response was generated.
</p>
<p>
The <span class="json-obj">cveChanges</span> object contains an array of objects equal
to the number of change events returned in the response and is sorted in ascending order
by the <span class="json-obj">created</span> property of the <span class="json-obj">change</span> object.
The <span class="json-obj">change</span> object is explained in more detail below.
</p>
<p>
JSON response objects are either optional or required. Required response objects are always returned
by the API and may contain fields without data. Optional response objects are only returned when
they contain data.
</p>
<h5 style="font-family:'Roboto Mono Web','Bitstream Vera Sans Mono','Consolas','Courier','monospace'" id="cves-response-cve-change">change <span class="paramRequired"> required</span> </h5> <!-- DOCUMENTATION INCOMPLETE -->
<p>
This object contains the following required data: the CVE-ID, the type of change event,
a Universally Unique Identifier (UUID) for the change event, the
<a href="/developers/data-sources">source</a> of the
change event, the date and time that the CVE was modified, and an array of data
containing any additional details.
</p>
<p>
The <span class="json-obj">details</span> array is a required object. It will appear
whether or not the array contains additional data.
</p>
<button onclick="toggleMoreCode('jsonWindowCvesHistory')">Toggle JSON</button>
<div id="jsonWindowCvesHistory" class="example-response" style="display: none;">
<pre class="contentSection-pre"><code>
{
"resultsPerPage": 1,
"startIndex": 0,
"totalResults": 558843,
"format": "NVD_CVEHistory",
"version": "2.0",
"timestamp": "2022-10-24T12:30:00.000",
"cveChanges": [
{
"change": {
"cveId": "CVE-2020-12448",
"eventName": "Initial Analysis",
"cveChangeId": "5DEF54B9-7FF3-4436-9763-2958C5B78731",
"sourceIdentifier": "nvd@nist.gov",
"created": "2020-05-11T15:05:30.490",
"details": [
{
"action": "Added",
"type": "CVSS V2",
"newValue": "NIST (AV:N/AC:L/Au:N/C:P/I:N/A:N)"
},
{
"action": "Added",
"type": "CVSS V3.1",
"newValue": "NIST AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
{
"action": "Changed",
"type": "Reference Type",
"oldValue": "https://about.gitlab.com/blog/categories/releases/ No Types Assigned",
"newValue": "https://about.gitlab.com/blog/categories/releases/ Product, Release Notes"
},
{
"action": "Changed",
"type": "Reference Type",
"oldValue": "https://about.gitlab.com/releases/2020/04/30/security-release-12-10-2-released/ No Types Assigned",
"newValue": "https://about.gitlab.com/releases/2020/04/30/security-release-12-10-2-released/ Release Notes, Vendor Advisory"
},
{
"action": "Added",
"type": "CWE",
"newValue": "NIST CWE-22"
},
{
"action": "Added",
"type": "CPE Configuration",
"newValue": "OR\n *cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* versions from (including) 12.8.0 up to (excluding) 12.8.10"
}
]
}
}
]
}
</code></pre>
</div>
<div id="divContact" class="row">
<br>
<p>
Questions, comments, or concerns may be shared with the NVD by emailing <a href="mailto:nvd@nist.gov">nvd@nist.gov</a>
</p>
</div>
</div>
<div class="col-md-12 historical-data-area" id="historical-data-area">
<span>
Created
<span id="page-created-date">
<span>September 20, 2022</span>
</span>,
</span>
Updated
<span id="page-updated-date">
<span>February 25, 2025</span>
</span>
</div>
</div>
</div>
</div>
</main>
<footer id="footer" role="contentinfo">
<div class="container">
<div class="row">
<div class="col-sm-12">
<ul class="social-list pull-right">
<li class="field-item service-twitter list-horiz"><a
href="https://twitter.com/NISTCyber" target="_blank" rel="noopener noreferrer"
class="social-btn social-btn--large extlink ext"> <i
class="fa fa-twitter fa-fw"><span class="element-invisible">twitter</span></i><span
class="ext"><span class="element-invisible"> (link
is external)</span></span>
</a></li>
<li class="field-item service-facebook list-horiz"><a
href="https://www.facebook.com/NIST" target="_blank" rel="noopener noreferrer"
class="social-btn social-btn--large extlink ext"> <i
class="fa fa-facebook fa-fw"><span class="element-invisible">facebook</span></i><span
class="ext"><span class="element-invisible"> (link
is external)</span></span></a></li>
<li class="field-item service-linkedin list-horiz"><a
href="https://www.linkedin.com/company/nist" target="_blank" rel="noopener noreferrer"
class="social-btn social-btn--large extlink ext"> <i
class="fa fa-linkedin fa-fw"><span class="element-invisible">linkedin</span></i><span
class="ext"><span class="element-invisible"> (link
is external)</span></span></a></li>
<li class="field-item service-youtube list-horiz"><a
href="https://www.youtube.com/user/USNISTGOV" target="_blank" rel="noopener noreferrer"
class="social-btn social-btn--large extlink ext"> <i
class="fa fa-youtube fa-fw"><span class="element-invisible">youtube</span></i><span
class="ext"><span class="element-invisible"> (link
is external)</span></span></a></li>
<li class="field-item service-rss list-horiz"><a
href="https://www.nist.gov/news-events/nist-rss-feeds"
target="_blank" rel="noopener noreferrer" class="social-btn social-btn--large extlink">
<i class="fa fa-rss fa-fw"><span class="element-invisible">rss</span></i>
</a></li>
<li class="field-item service-govdelivery list-horiz last"><a
href="https://public.govdelivery.com/accounts/USNIST/subscriber/new?qsp=USNIST_3"
target="_blank" rel="noopener noreferrer" class="social-btn social-btn--large extlink ext">
<i class="fa fa-envelope fa-fw"><span
class="element-invisible">govdelivery</span></i><span class="ext"><span
class="element-invisible"> (link is external)</span></span>
</a></li>
</ul>
<span class="hidden-xs"> <a
title="National Institute of Standards and Technology" rel="home"
class="footer-nist-logo"> <img
src="/site-media/images/nist/nist-logo.png"
alt="National Institute of Standards and Technology logo" />
</a>
</span>
</div>
</div>
<div class="row hidden-sm hidden-md hidden-lg">
<div class="col-sm-12">
<a href="https://www.nist.gov"
title="National Institute of Standards and Technology" rel="home"
target="_blank" rel="noopener noreferrer" class="footer-nist-logo"> <img
src="/site-media/images/nist/nist-logo.png"
alt="National Institute of Standards and Technology logo" />
</a>
</div>
</div>
<div class="row footer-contact-container">
<div class="col-sm-6">
<strong>HEADQUARTERS</strong>
<br>
100 Bureau Drive
<br>
Gaithersburg, MD 20899
<br>
<a href="tel:301-975-2000">(301) 975-2000</a>
<br>
<br>
<a href="mailto:nvd@nist.gov">Webmaster</a> | <a
href="https://www.nist.gov/about-nist/contact-us">Contact Us</a>
| <a href="https://www.nist.gov/about-nist/visit"
style="display: inline-block;">Our Other Offices</a>
</div>
<div class="col-sm-6">
<div class="pull-right"
style="text-align:right">
<strong>Incident Response Assistance and Non-NVD Related<br>Technical Cyber Security Questions:</strong>
<br>
US-CERT Security Operations Center
<br> Email: <a href="mailto:soc@us-cert.gov">soc@us-cert.gov</a>
<br> Phone: 1-888-282-0870
</div>
</div>
</div>
<div class="row">
<nav title="Footer Navigation" role="navigation"
class="row footer-bottom-links-container">
<!-- https://github.com/usnistgov/nist-header-footer/blob/nist-pages/boilerplate-footer.html -->
<p>
<a href="https://www.nist.gov/oism/site-privacy">Site Privacy</a>
|
<a href="https://www.nist.gov/oism/accessibility">Accessibility</a>
|
<a href="https://www.nist.gov/privacy">Privacy Program</a>
|
<a href="https://www.nist.gov/oism/copyrights">Copyrights</a>
|
<a href="https://www.commerce.gov/vulnerability-disclosure-policy">Vulnerability Disclosure</a>
|
<a href="https://www.nist.gov/no-fear-act-policy">No Fear Act Policy</a>
|
<a href="https://www.nist.gov/foia">FOIA</a>
|
<a href="https://www.nist.gov/environmental-policy-statement">Environmental Policy</a>
|
<a href="https://www.nist.gov/summary-report-scientific-integrity">Scientific Integrity</a>
|
<a href="https://www.nist.gov/nist-information-quality-standards">Information Quality Standards</a>
|
<a href="https://www.commerce.gov/">Commerce.gov</a>
|
<a href="https://www.science.gov/">Science.gov</a>
|
<a href="https://www.usa.gov/">USA.gov</a>
</p>
</nav>
</div>
</div>
</footer>
</body>
</html>
Reference in a new issue View git blame Copy permalink