Skip to main content

National Vulnerability Database (NVD)

The NVD is NIST’s database that enriches CVE records with CVSS severity scores, product identifiers, and reference data.

The National Vulnerability Database (NVD) is maintained by NIST, the U.S. National Institute of Standards and Technology. It builds on the CVE catalog, enriching each record with CVSS severity scores, product identifiers (CPE), weakness classifications (CWE), and reference links.

How It Works

When a CVE is published, NVD analysts enrich it — attaching a severity vector and the machine-readable product strings scanners match against. Since April 2026, NVD prioritizes enrichment for CVEs in the KEV catalog, in federal software, or designated critical under Executive Order 14028; all CVEs are still catalogued, but lower-priority records are not scheduled for immediate enrichment.

Why It Matters

A large share of tooling historically assumed a fully enriched NVD — sort the CVSS column, work down. With enrichment prioritized rather than universal, severity data for the long tail of CVEs is thinning, and NVD's free-text product matching was always less precise for open-source packages than ecosystem-native coordinates. Modern scanners therefore source advisories from package-native databases like OSV and GHSA and treat NVD severity as one input among several.

Related Terms

The NVD enriches CVE records with CVSS scores; OSV and GHSA provide package-native alternatives; KEV records which CVEs are actually exploited.