NVD CVEs — Free US National Vulnerability Database API (No Key)

TL;DR

The National Vulnerability Database (NVD) API from NIST provides programmatic access to the most comprehensive repository of cybersecurity vulnerabilities (CVEs) in the world. Each entry includes the CVE identifier, CVSS severity scores (v2, v3, v4), affected product configurations, published date, last modified date, and detailed descriptions. The API supports keyword search, CPE-based product filtering, date ranges, and CVSS score thresholds.

Quick start: https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=linux

No API key needed — just make a request!

How to Use This API

1. Search by Keyword

https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=linux&resultsPerPage=5

2. Filter by Severity

https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=apache&cvssV3Severity=CRITICAL

3. By Date Range

https://services.nvd.nist.gov/rest/json/cves/2.0?pubStartDate=2026-01-01T00:00:00.000&pubEndDate=2026-06-15T00:00:00.000

4. JavaScript — Fetch CVEs

fetch('https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=openssl&resultsPerPage=5')
  .then(r => r.json())
  .then(d => {
    d.vulnerabilities.forEach(v => {
      const cve = v.cve;
      const metrics = cve.metrics?.cvssMetricV31?.[0]?.cvssData;
      console.log(cve.id, '—', metrics?.baseScore || 'N/A',
        metrics?.baseSeverity || '');
    });
  });

5. Python — Get CVSS Scores

import requests

resp = requests.get('https://services.nvd.nist.gov/rest/json/cves/2.0', params={
    'keywordSearch': 'kernel',
    'resultsPerPage': 10
})
for vuln in resp.json()['vulnerabilities']:
    cve = vuln['cve']
    print(f"{cve['id']}: {cve['descriptions'][0]['value'][:80]}...")

Try it: https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=linux&resultsPerPage=3

Try This URL Now

Frequently Asked Questions

Do I need an API key?: No, basic queries work without authentication. A free API key provides higher rate limits (50 requests per 30 seconds vs. 5 requests per 30 seconds).
What is a CVE?: Common Vulnerabilities and Exposures — a unique identifier for a specific cybersecurity vulnerability. Format: CVE-YYYY-NNNNN.
What severity scores does NVD provide?: CVSS v2.0, v3.1, and v4.0 scores including base score, temporal score, environmental score, and severity ratings (NONE, LOW, MEDIUM, HIGH, CRITICAL).
How do I search by CPE (product)?: Use the cpeName parameter with a CPE 2.3 formatted string like cpe:2.3:o:microsoft:windows_10 for product-specific vulnerabilities.
What date format does the API require?: ISO 8601 format: YYYY-MM-DDTHH:mm:ss.sss. The pubStartDate and pubEndDate parameters filter by publication date.

What You Can Build

Vulnerability scanner dashboard for system admins
Security patch prioritization tool by CVSS score
Product vulnerability history tracker
Security research data aggregator
Automated CVE alerting system