DEV Community

Ava Torres
Ava Torres

Posted on

How to Query the NVD CVE Vulnerability Database Programmatically in 2026

#api #data #security #automation

The National Vulnerability Database (NVD) is the authoritative public source for CVE data — Common Vulnerabilities and Exposures. Every disclosed software vulnerability gets a CVE ID, and NVD enriches those with CVSS scores, affected product ranges, and remediation guidance.

If you work in security, you already know NVD. The question is usually how to get the data out efficiently and pipe it into whatever you are building.

Why You Would Pull This Programmatically

The NVD web interface is fine for one-off lookups. But most of the real work happens in bulk:

  • Security teams running automated vulnerability scans against their dependency list
  • SaaS vendors building compliance dashboards that surface relevant CVEs to customers
  • Threat intelligence platforms ingesting NVD as one of several data sources
  • Penetration testers mapping known vulnerabilities for a specific product version
  • DevSecOps pipelines checking new library versions against known CVEs before merging

NVD does have a public API, but it rate-limits aggressively without an API key, and the JSON structure is deeply nested. Parsing CVSS vectors and affected version ranges is tedious work.

What the Data Includes

Each CVE record from NVD contains:

  • CVE ID and description
  • CVSS v3 base score and vector string
  • Severity rating (Critical, High, Medium, Low)
  • Affected CPE (product/version) configurations
  • Published and last-modified dates
  • CWE (weakness type) classification
  • References and patch links

Accessing NVD Data via Apify

The NVD CVE Vulnerability Database actor wraps the NVD API and returns clean, flat JSON records. You can search by keyword, CVE ID, severity, or date range.

{
  "query": "apache log4j",
  "severity": "CRITICAL",
  "maxResults": 25
}
Enter fullscreen mode Exit fullscreen mode

This is useful when you want to quickly pull all critical CVEs for a specific technology stack, or monitor for newly published vulnerabilities matching a keyword without building your own polling loop.

Practical Workflow

A common setup: schedule the actor to run daily with a pubStartDate filter set to the last 24 hours. Pipe the output into a Slack alert or a database table your security team monitors. That way you get near-realtime CVE monitoring without maintaining API credentials or a custom polling service.

NVD data is public, reliable, and high-value for anyone doing security work. The hard part is usually just getting it into a usable format — that is the problem this actor solves.

Ava Torres is a data engineer in SF building automation tools for research and compliance workflows.

Top comments (0)