The National Vulnerability Database (NVD) is the US government's repository of CVE records. It includes CVSS scores, affected software versions, CWE classifications, and reference links for every published CVE. NIST maintains a public REST API with no authentication required. Querying it programmatically is straightforward -- but building a reliable pipeline for bulk lookups, delta pulls, or continuous monitoring requires more than a few curl commands.
Why automate this?
Security teams, software vendors, and compliance professionals all consume CVE data. The manual workflow (search NVD by keyword, filter by CVSS, export) falls apart at scale:
- Patch management -- pulling all critical/high CVEs for a specific vendor or product family to prioritize patching
- Software composition analysis -- looking up CVEs for a list of third-party dependencies
- Vendor risk assessments -- checking CVE exposure for a vendor's software stack as part of due diligence
- Threat intelligence -- monitoring new CVEs in a product category on a daily or weekly schedule
- Compliance reporting -- generating evidence that known vulnerabilities were tracked and remediated
The NVD API is reliable, but rate limits, pagination, and result normalization add friction. For regular scheduled pulls, you want a managed solution.
How NVD CVE data is structured
Each CVE record has a unique identifier (e.g., CVE-2023-44487), a description, CVSS scores (v2, v3.0, v3.1), affected configurations expressed as CPE strings, references (advisories, patches, PoC links), and CWE classifications. The NVD API supports search by keyword, CPE name, CVSS severity, CWE, and date range.
What data you get
Each record in the output includes:
-
cve_id-- CVE identifier -
description-- full vulnerability description -
cvss_v3_base_score-- CVSS 3.x base score (0.0-10.0) -
cvss_v3_severity-- CRITICAL, HIGH, MEDIUM, LOW, NONE -
cvss_v3_vector-- full CVSS vector string -
cwe_ids-- array of CWE weakness identifiers -
published_date-- NVD publication date -
last_modified_date-- most recent update -
affected_cpes-- array of CPE strings for affected products -
references-- array of reference URLs with resource type tags
Running a query
The NVD CVE Vulnerability Database actor on Apify accepts a keyword or CVE ID, optional CVSS severity filter, and date range. It handles NVD API rate limits and pagination automatically.
Example input:
{
"keyword": "Apache Log4j",
"cvssV3Severity": "CRITICAL",
"dateFrom": "2021-01-01",
"maxResults": 50
}
Output is available as JSON or CSV and can be scheduled for regular pulls.
Practical workflow
For weekly patch intelligence: schedule the actor with a vendor name and the past 7 days as the date window. Pull new CVEs, filter by severity, and push results to a Slack webhook or spreadsheet via Apify integrations.
For dependency auditing: provide a list of product keywords derived from your SBOM. The actor returns all CVEs matching each product, which you can join against your inventory.
Next steps
NVD is the authoritative source for CVE data. If your security workflow depends on it at scale, automating the pull is straightforward with the right tooling.
Top comments (0)