Last reviewed:
National Vulnerability Database. The U.S. government's catalogue of CVE entries with CVSS scoring.
The National Vulnerability Database (NVD), maintained by NIST, is the canonical structured catalogue of CVE (Common Vulnerabilities and Exposures) entries. Each NVD record includes the CVE id, a description, affected products (CPE), CVSS v2/v3 base scoring, references to vendor advisories, and CWE classification.
NVD and the CVE programme are related but distinct. MITRE's CVE programme assigns the identifier and a short description; NVD enriches that record with CVSS severity, CPE affected-products, and CWE weakness type. A CVE id can exist at CVE.org for a few days before its enriched NVD record publishes, which is why automated pipelines key off NVD when they need severity-aware decisions.
NVD publishes via JSON 2.0 data feeds: a 'recent' feed covering the last eight days of new entries, a 'modified' feed covering the same window of changes, and per-year archives back to 2002. Update cadence on the rolling feeds is roughly every two hours; teams that need lower latency typically consume the CVE Services API at MITRE and reconcile against NVD once scoring lands.
CloudSigma enriches new CVE references in the daily Intel feed against NVD before generating detection rules, so each rule's affected-products and severity context is sourced rather than guessed. Coverage is curated to vulnerabilities affecting AWS, Azure, and Google Cloud control-plane or workload components; endpoint software CVEs are out of scope.