What is the National Vulnerability Database (NVD)?

Definition

The National Vulnerability Database (NVD) is a comprehensive repository of vulnerability data maintained by the National Institute of Standards and Technology (NIST), a US government agency. The NVD builds on the CVE Program's entries by enriching them with additional analysis: CVSS severity scores, CWE weakness classifications, CPE (Common Platform Enumeration) affected product lists, and references to patches and advisories.

While CVE provides the identifier and a basic description, NVD provides the scored, structured, machine-readable vulnerability data that security tools — scanners, SBOMs, patch management systems — rely on for automated vulnerability management.

What NVD Provides

CVSS Scores

NVD assigns CVSS Base Scores to CVE entries, providing the severity rating used by virtually all vulnerability management tools. NVD publishes both CVSS v3.1 and CVSS v2.0 scores for backward compatibility. Some CVEs also have vendor-supplied CVSS scores that may differ from NVD's assessment.

CWE Mappings

NVD maps each CVE to one or more CWE IDs — identifying the weakness type responsible for the vulnerability. This mapping enables aggregation by weakness category and drives the data behind the CWE Top 25 rankings.

CPE Affected Product List

NVD uses CPE (Common Platform Enumeration) to enumerate exactly which products and versions are affected by each CVE. This enables automated scanners to match CVEs to specific versions of specific products in a software bill of materials.

References and Advisories

NVD aggregates references to vendor advisories, patch locations, proof-of-concept code, and news articles related to each CVE, providing a comprehensive starting point for remediation.

How NVD is Used

Dependency scanners

Tools like Dependabot, Snyk, OWASP Dependency-Check, and npm audit query the NVD (directly or through a vendor database that mirrors NVD) to identify CVEs affecting dependencies in a project's dependency tree. The NVD's CPE data enables version-specific matching.

SAST and DAST tools

Security scanners cross-reference their findings with NVD data to provide CVSS scores and CVE context for detected vulnerabilities. A SAST finding for SQL injection may reference the CVE ID for a known SQL injection vulnerability in the specific library being used.

Compliance and audit

NVD is the authoritative data source for vulnerability compliance requirements. FedRAMP, DISA STIG, and PCI-DSS programs reference NVD data for vulnerability tracking and remediation deadlines.

NVD Enrichment Lag

The NVD enrichment process — assigning CVSS scores, CWE mappings, and CPE data to new CVE entries — takes time. In 2024, NVD faced significant backlogs with thousands of CVEs awaiting enrichment. This lag means:

• A CVE may be published with a description but no CVSS score for days or weeks
• Scanners that rely on NVD CVSS scores may not flag a new vulnerability until enrichment is complete
• The period between CVE publication and NVD enrichment is a window of reduced automated detection

Vendor-specific vulnerability databases (Snyk, GitHub Advisory Database, OSV) often enrich vulnerability data faster than NVD and serve as supplementary sources for security tools that need timely scoring.

NVD vs. Other Vulnerability Databases

NVD and Autonomous Code Governance

Hydra integrates NVD, the GitHub Advisory Database, and OSV as data sources for dependency vulnerability detection — ensuring that new CVEs are reflected in dependency scanning as quickly as any of the three databases is updated, rather than waiting for NVD enrichment alone. When a CVE is published affecting a dependency in a governed codebase, Hydra generates an upgrade pull request immediately upon detection — treating the NVD enrichment lag as a risk window to be eliminated rather than a design constraint to be worked around. All CVEs referenced in Hydra findings link directly to NVD for full context and remediation guidance.