NVD vs CVE: what is the difference?
Last reviewed June 2, 2026
The CVE List is the catalog of vulnerability identifiers, maintained by the MITRE-led CVE Program, where CNAs assign each flaw a CVE record. The NVD (National Vulnerability Database) is a separate NIST resource that ingests those CVE records and enriches them with CVSS scores, CWE weakness mappings, and CPE product data. In short, the CVE List is the source of identifiers and the NVD is an enrichment layer built on top of it.
The core difference
The CVE List and the NVD are two distinct things that are often treated as one. The CVE List, operated by the CVE Program under MITRE, is the authoritative source of CVE identifiers and their basic records. CNAs (CVE Numbering Authorities) assign identifiers and submit the initial description and references.
The NVD, run by the National Institute of Standards and Technology (NIST), does not assign CVE identifiers. Instead it consumes the CVE List and adds an enrichment layer: CVSS severity scores, CWE weakness classifications, and CPE entries that identify affected products. Every NVD record begins life as a CVE record.
Side-by-side comparison
| Attribute | CVE List | NVD |
|---|---|---|
| What it is | The catalog of vulnerability identifiers and records | An enriched database built on top of the CVE List |
| Operated by | The CVE Program, led by MITRE | NIST (National Institute of Standards and Technology) |
| Primary role | Assigning and publishing CVE identifiers | Analyzing and enriching published CVE records |
| Who contributes | CNAs (CVE Numbering Authorities) | NVD analysts at NIST |
| Adds CVSS scores | Sometimes, when provided by a CNA | Yes, as part of standard analysis |
| Adds CWE and CPE data | Limited | Yes (weakness type and affected products) |
| Source of truth for | The identifier and base record | Enrichment metadata and searchable index |
How data flows between them
The relationship is a pipeline. A CNA assigns a CVE identifier and publishes the base record to the CVE List. The NVD then ingests that record and an analyst attaches enrichment data, after which the entry becomes searchable through NVD interfaces and feeds.
This means the NVD is downstream of the CVE List. If a flaw has no CVE identifier, it does not appear in the NVD. The CVE List defines what exists, and the NVD describes those entries in greater detail.
- Step 1: A CNA assigns a CVE identifier and publishes a base record to the CVE List.
- Step 2: The NVD ingests the published CVE record.
- Step 3: NVD analysts add CVSS scores, CWE mappings, and CPE product data.
- Step 4: The enriched record becomes searchable and available through NVD feeds.
The 2024 NVD enrichment backlog
In early 2024 the NVD sharply slowed its enrichment of new CVE records, leaving a large and growing backlog of published CVEs that lacked CVSS scores, CWE mappings, and CPE data. NIST cited factors including an increase in the volume of submitted vulnerabilities and changes in its processes.
The backlog highlighted the practical distinction between the two sources. The CVE identifiers continued to be assigned and published on the CVE List as normal, but the enrichment that many teams rely on from the NVD was delayed. As a result, organizations increasingly turned to alternative enrichment sources, such as CNA-provided scores and the CISA Vulnrichment program, to fill the gap.
Keep exploring
- What is the NVD?The NIST database that enriches CVE records.
- What is a CVE?How vulnerability identifiers are assigned.
- What is Vulnrichment?CISA enrichment that supplements the NVD.
- What is a CNA?The authorities that assign CVE identifiers.
- What is MITRE?The organization that runs the CVE Program.
- CWE directoryThe weakness taxonomy used in NVD enrichment.
Frequently asked questions
- Does the NVD assign CVE identifiers?
- No. CVE identifiers are assigned by CNAs under the MITRE-led CVE Program and published to the CVE List. The NVD consumes those identifiers and adds enrichment data; it does not create the identifiers itself.
- Why might a CVE exist but have no NVD CVSS score?
- A CVE is published to the CVE List as soon as a CNA assigns it, but NVD enrichment is a separate downstream step. During the 2024 enrichment backlog, many published CVEs waited extended periods before receiving NVD analysis.
- What does the NVD add that the CVE List may not have?
- The NVD typically adds a CVSS severity score, a CWE weakness classification, and CPE entries identifying affected products and versions, along with a searchable index and data feeds.
- What is CISA Vulnrichment and how does it relate?
- Vulnrichment is a CISA program that adds enrichment data, such as CVSS, CWE, and exploitation context, directly to CVE records. It emerged in part to help address gaps left by the NVD enrichment backlog.
