nvd.nist.gov /general/news
National Vulnerability Database
Static Web Parser

 


  • November 15, 2024:  NVD Technical Update
    CVE List Authorized Data Publisher (ADP) Support
    We plan to deploy changes to our systems the week of November 18th. After this is complete, NVD systems will begin ingesting supported datatypes within the CVE List from all sources (CNAs and ADPs). 

    What does this mean?
    CVE records within the NVD dataset will contain more information (Reference(s), CWE, and CVSS) from additional sources. This new information will be displayed on the website and in the API responses, attributed to the organization who contributed the information. More information regarding ADPs can be reviewed at https://www.cve.org/ProgramOrganization/ADPs.

    Downstream data consumers will notice a large shift in the volume of CVE Record modifications as part of this change. Going forward, organizations should expect CVE records to update at a higher frequency.

    Other relevant changes:
    Duplicate References and Reference Tags

    As part of NVD enrichment efforts, reference tags are associated with each reference provided by a specific source. In instances where the same reference is provided by multiple sources, any reference tags associated to an existing reference will be applied to the newly provided, duplicate reference automatically.

    Changes to NVD CVE Record Change History

    • Event Names are now more consistently ordered when they are recorded at the same timestamp.
    • Event Content (Actions and Change Types) will now be more consistently ordered.
    • Reference and Reference Tag (Type) changes will now be audited separately across all cases.
    • “CVE Received” Events will be re-labeled as “New CVE Received.” Using the “CVE Received” eventName parameter for the /cvehistory/ API will still return the appropriate results.

    CVE API and Vulnerability Search Impacts
    Due to upstream removal of data points used by the NVD systems, the following parameters will no longer filter search results. 

    • CVE API: HasCertAlerts, HasCertNotes, HasOval
    • Vulnerability Search:  US-CERT Technical Alerts, US-CERT Vulnerability Notes, OVAL Queries

    These options will be removed in a future release.

  • November 13, 2024

  • November 13, 2024:  NVD General Update
    This update provides information on our progress as we work to process all incoming Common Vulnerabilities and Exposures (CVEs) and to address the backlog of CVEs that built up earlier this calendar year.

    We now have a full team of analysts on board, and we are addressing all incoming CVEs as they are uploaded into our system. In addition, we have addressed all Known Exploited Vulnerabilities (KEVs) that were in the backlog, and we are processing all new KEVs as they come in.

    However, our initial estimate of when we would clear the backlog was optimistic. This is due to the fact that the data on backlogged CVEs that we are receiving from Authorized Data Providers (ADPs) are in a format that we are not currently able to efficiently import and enhance.

    To address this issue, we are developing new systems that will allow us to process incoming ADP data more efficiently. We are working to complete this project as quickly as possible and will continue to provide updates on our progress to this NVD Updates page.

  • November 13, 2024

  • November 13, 2024: This update provides information on our progress as we work to process all incoming Common Vulnerabilities and Exposures (CVEs) and to address the backlog of CVEs that built up earlier this calendar year.

    We now have a full team of analysts on board, and we are addressing all incoming CVEs as they are uploaded into our system. In addition, we have addressed all Known Exploited Vulnerabilities (KEVs) that were in the backlog, and we are processing all new KEVs as they come in.

    However, our initial estimate of when we would clear the backlog was optimistic. This is due to the fact that the data on backlogged CVEs that we are receiving from Authorized Data Providers (ADPs) are in a format that we are not currently able to efficiently import and enhance.

    To address this issue, we are developing new systems that will allow us to process incoming ADP data more efficiently. We are working to complete this project as quickly as possible and will continue to provide updates on our progress to this NVD Updates page.
     

  • August 12, 2024

  • August 12, 2024: Throughout the week of August 12 -16, 2024, NVD’s servers will be undergoing maintenance by NIST. There is a possibility that there will be sporadic interruptions in NVD service, lasting until 6:00 PM on August 16, 2024.
     
  • August 12, 2024

  • August 12, 2024:  NVD Technical Update
    Throughout the week of August 12 -16, 2024, NVD’s servers will be undergoing maintenance by NIST. There is a possibility that there will be sporadic interruptions in NVD service, lasting until 6:00 PM on August 16, 2024.
     
  • July 18, 2024:

  • July 18, 2024: We are currently updating our servers, so users may experience temporary delays or usability issues beginning around 11:00 AM on Thursday, July 18, 2024. We expect our systems to be back to normal by 3:00 PM ET on the same day.
     
  • July 18, 2024

  • July 18, 2024:  NVD Technical Update
     We are currently updating our servers, so users may experience temporary delays or usability issues beginning around 11:00 AM on Thursday, July 18, 2024. We expect our systems to be back to normal by 3:00 PM ET on the same day.
     
  • July 18, 2024

  • July 18, 2024: We are currently updating our servers, so users may experience temporary delays or usability issues beginning around 11:00 AM on Thursday, July 18, 2024. We expect our systems to be back to normal by 3:00 PM ET on the same day.
  • May 29, 2024:

  • May 29, 2024: NIST has awarded a contract for additional processing support for incoming Common Vulnerabilities and Exposures (CVEs) for inclusion in the National Vulnerability Database. We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months.

    In addition, a backlog of unprocessed CVEs has developed since February. NIST is working with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to facilitate the addition of these unprocessed CVEs to the NVD. We anticipate that that this backlog will be cleared by the end of the fiscal year. 

    As we shared earlier, NIST is also working on ways to address the increasing volume of vulnerabilities through technology and process updates. Our goal is to build a program that is sustainable for the long term and to support the automation of vulnerability management, security measurement and compliance.

    With a 25-year history of providing this database of vulnerabilities to users around the world and given that we do not play an enforcement or oversight role, NIST is uniquely suited to manage the NVD. NIST is fully committed to maintaining and modernizing this important national resource that is vital to building and maintaining trust in information technology and fostering innovation. 

    Moving forward, we will keep the community informed of our progress toward normal operational levels and our future modernization plans.

  • April 25, 2024:

  • April 25, 2024: NIST maintains the National Vulnerability Database (NVD), a repository of information on software and hardware flaws that can compromise computer security. This is a key piece of the nation’s cybersecurity infrastructure.

    There is a growing backlog of vulnerabilities submitted to the NVD and requiring analysis. This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support. Currently, we are prioritizing analysis of the most significant vulnerabilities. In addition, we are working with our agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well.

    We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government, and other stakeholder organizations that can collaborate on research to improve the NVD.

    NIST is committed to its continued support and management of the NVD. Currently, we are focused on our immediate plans to address the CVE backlog, but plan to keep the community posted on potential plans for the consortium as they develop. For questions and concerns, you can contact nvd [at] nist.gov (nvd[at]nist[dot]gov).

  • April 9, 2024: To enable more flexibility within our API output we need to remove certain restrictions from the existing 2.0 API schemas. All existing API users will need to download the latest schema files to avoid validation issues later this year. See /cves/ schema restriction update.

  • March 5, 2024: As part of ongoing efforts to increase the reliability and general responsiveness of the 2.0 APIs, the NVD will be making a change to the Match Criteria API. See /cpematch/ resultsPerPage update.

  • The NVD now supports CVSS v4.0! See the NVD CVSS v4.0 Official Support announcement for more details.

    May 29, 2024

  • May 29, 2024: NIST has awarded a contract for additional processing support for incoming Common Vulnerabilities and Exposures (CVEs) for inclusion in the National Vulnerability Database. We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months.

    In addition, a backlog of unprocessed CVEs has developed since February. NIST is working with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to facilitate the addition of these unprocessed CVEs to the NVD. We anticipate that that this backlog will be cleared by the end of the fiscal year. 

    As we shared earlier, NIST is also working on ways to address the increasing volume of vulnerabilities through technology and process updates. Our goal is to build a program that is sustainable for the long term and to support the automation of vulnerability management, security measurement and compliance.

    With a 25-year history of providing this database of vulnerabilities to users around the world and given that we do not play an enforcement or oversight role, NIST is uniquely suited to manage the NVD. NIST is fully committed to maintaining and modernizing this important national resource that is vital to building and maintaining trust in information technology and fostering innovation. 

    Moving forward, we will keep the community informed of our progress toward normal operational levels and our future modernization plans.
  • May 29, 2024

  • May 29, 2024:  NVD General Update 
    NIST has awarded a contract for additional processing support for incoming Common Vulnerabilities and Exposures (CVEs) for inclusion in the National Vulnerability Database. We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months.

    In addition, a backlog of unprocessed CVEs has developed since February. NIST is working with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to facilitate the addition of these unprocessed CVEs to the NVD. We anticipate that that this backlog will be cleared by the end of the fiscal year. 

    As we shared earlier, NIST is also working on ways to address the increasing volume of vulnerabilities through technology and process updates. Our goal is to build a program that is sustainable for the long term and to support the automation of vulnerability management, security measurement and compliance.

    With a 25-year history of providing this database of vulnerabilities to users around the world and given that we do not play an enforcement or oversight role, NIST is uniquely suited to manage the NVD. NIST is fully committed to maintaining and modernizing this important national resource that is vital to building and maintaining trust in information technology and fostering innovation. 

    Moving forward, we will keep the community informed of our progress toward normal operational levels and our future modernization plans.
  • May 20, 2024: On May 8, 2024, the Common Vulnerabilities and Exposures (CVE) program deployed support for the CVE 5.1 record format. Once the deployment started, NIST was not able to process records with the new format until we released a subsequent deployment for NVD-related systems on May 14, 2024. We are now ingesting both CVE 5.0 and CVE 5.1 records into the NVD dataset on an hourly basis and we’re working as fast as we can to return to normal processing. 

  • April 25, 2024

  • April 25, 2024: NVD General Update
    NIST maintains the National Vulnerability Database (NVD), a repository of information on software and hardware flaws that can compromise computer security. This is a key piece of the nation’s cybersecurity infrastructure.

    There is a growing backlog of vulnerabilities submitted to the NVD and requiring analysis. This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support. Currently, we are prioritizing analysis of the most significant vulnerabilities. In addition, we are working with our agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well.

    We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government, and other stakeholder organizations that can collaborate on research to improve the NVD.

    NIST is committed to its continued support and management of the NVD. Currently, we are focused on our immediate plans to address the CVE backlog, but plan to keep the community posted on potential plans for the consortium as they develop. For questions and concerns, you can contact nvd [at] nist.gov (nvd[at]nist[dot]gov).

  • April 25, 2024

  • April 25, 2024: NIST maintains the National Vulnerability Database (NVD), a repository of information on software and hardware flaws that can compromise computer security. This is a key piece of the nation’s cybersecurity infrastructure.

    There is a growing backlog of vulnerabilities submitted to the NVD and requiring analysis. This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support. Currently, we are prioritizing analysis of the most significant vulnerabilities. In addition, we are working with our agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well.

    We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government, and other stakeholder organizations that can collaborate on research to improve the NVD.

    NIST is committed to its continued support and management of the NVD. Currently, we are focused on our immediate plans to address the CVE backlog, but plan to keep the community posted on potential plans for the consortium as they develop. For questions and concerns, you can contact nvd [at] nist.gov (nvd[at]nist[dot]gov).

  • To enable more flexibility within our API output we need to remove certain restrictions from the existing 2.0 API schemas. All existing API users will need to download the latest schema files to avoid validation issues later this year. See /cves/ schema restriction update.
    The NVD has added information to its CVE detail pages to identify vulnerabilities appearing in CISA's Known Exploited Vulnerabilities Catalog. Information on exploited vulnerabilities and the affected products will also become available to developers when the NVD releases new APIs in late 2022. Questions about the Known Exploited Vulnerabilities Catalog should be directed to CISA. Questions about the CVE may be directed to the NVD.

    NVD begins assessments with CVSS v3.0

    NVD begins assessments with CVSS v3.0
    As part of ongoing efforts to increase the reliability and general responsiveness of the 2.0 APIs, the NVD will be making a change to the Match Criteria API. See /cpematch/ resultsPerPage update.
    NIST is working to establish a consortium to improve the NVD program, and there will be some temporary delays in analysis efforts. For more information please review the NVD program transition announcement page.
    The NVD has transitioned from processing the CVE List 4.0 JSON to the CVE List 5.0 JSON. There are quite a few changes to the NVD dataset as a result of this transition. Please make sure to read the details of these changes at the NVD CVE 4.0 to CVE 5.0 transition page.
  • July 2, 2024: NIST has made recent updates to improve functionality of the NVD. We are aware of availability issues with the NVD API Endpoints and are working to resolve them. If you are experiencing schema validation errors, please ensure that you or the tools you use have the latest schema files, which were recently updated. Stability should return once users make these updates and implement best practices to reduce unnecessary request volume.

    NVD CVSS v4.0 Official Support
    The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. CVSS version 4.0 is the next generation of the Common Vulnerability Scoring System standard; released November 1, 2023. CVSS v4.0 provides increased granularity for Base metrics, a new Supplemental metric group, a different methodology for determining severity and more. For more information regarding CVSS v4.0 please visit https://www.first.org/cvss/v4.0/specification-document.

    CVSS v4.0 information will be displayed throughout the NVD website: 

    Vulnerability Detail Pages
    The Metrics section of the Vulnerability detail pages will now contain CVSS v4.0 data when available. CVSS v4.0 data will be displayed in a similar fashion to CVSS v3.x and CVSS v2.0 and will be displayed if available through NVD enrichment or CVE Program related CNA and/or ADP contributions. 

    CVSS v4.0 Calculator
    A CVSS v4.0 Calculator (based on the one provided by the FIRST CVSS SIG) has been included on the website. While visually distinct from previous calculators, the same functionality exists when including CVE IDs or CVSS vector string parameters in the URL to the page (See Calculator Product Integration). 

    Vulnerability Search Form
    The advanced section of the vulnerability search page has been updated to allow searching by CVSS v4.0 criteria. 

    Vulnerability Search Results
    The search results will now include CVSS v4.0 badges when appropriate. For questions and concerns, please contact nvd [at] nist.gov (nvd[at]nist[dot]gov).

    CISA Authorized Data Publisher (ADP) Support
    As of July 3, 2024, the NVD will support inclusion of data from CISA’s Vulnrichment CVSS and CWE information. 

    The Vulnrichment data will now be displayed on the vulnerability detail pages and attributed to the CISA-ADP (Authorized Data Publisher) source along with any relevant CVSS data contributed by NVD enrichment efforts or CNAs.

    This information can also be accessed using the NVD 2.0 APIs! The CVSS information can be located within the metrics object and the CWE information can be found within weaknesses array.  

    No schema changes were necessary to support this update.

    Note:  The legacy data feed files will not contain the Vulnrichment information. For questions and concerns, please contact nvd [at] nist.gov (nvd[at]nist[dot]gov).
     
  • Loading ...