What is the NVD (National Vulnerability Database)?
Last reviewed June 2, 2026
The NVD (National Vulnerability Database) is the U.S. government vulnerability repository run by NIST. It consumes CVE records from the CVE Program and enriches them with analysis: CVSS severity scores, CWE weakness mappings, and CPE applicability statements that pin down which products are affected. The NVD does not assign CVE IDs -- it builds an analysis layer on top of the records that CNAs publish.
NVD in one sentence
The National Vulnerability Database (NVD) is a repository of vulnerability data maintained by the U.S. National Institute of Standards and Technology (NIST). It is built directly on top of the CVE List.
Every CVE published by the CVE Program flows into the NVD, where NIST analysts add structured metadata that the original CVE record may lack.
What the NVD adds to a CVE
- CVSS severity scores and vectors, often a NIST-assigned base score in addition to any vendor score.
- CWE mappings that classify the underlying weakness type.
- CPE applicability statements describing exactly which products and versions are affected.
- References and tags that group and label the source links.
CVE vs NVD: what is the difference?
The CVE List, maintained by the CVE Program (MITRE, sponsored by CISA), is the authoritative source of the identifiers and base records. The NVD is a downstream consumer: it ingests those records and layers analysis on top.
So a CVE ID originates in the CVE Program, while the rich severity and product data many tools rely on often originates in the NVD. The two are complementary, not competing.
Why the NVD matters
For years the NVD was the default place defenders pulled CVSS scores and CPE data, and countless scanners and feeds were built around its API. Its CPE applicability statements in particular make it possible to match a CVE to specific installed software automatically.
Because CISA's Vulnrichment ADP now also adds CVSS, CWE, and CPE data directly into CVE records, defenders increasingly draw enrichment from both the NVD and the CVE Program itself.
Keep exploring
- What is a CVE?The records the NVD consumes.
- What is CVSS?The severity scores the NVD adds.
- What is a CPE?The product naming scheme the NVD uses.
- What is a CWE?The weakness types the NVD maps to.
- CNA vs Root vs ADPHow enrichment roles like Vulnrichment fit in.
- NVD vs CVEThe CVE List versus the NVD enrichment layer.
- What is OSV?Open, distributed database for open-source vulnerabilities.
Frequently asked questions
- Who runs the NVD?
- The NVD is run by NIST, the U.S. National Institute of Standards and Technology.
- Does the NVD assign CVE IDs?
- No. CVE IDs are assigned by CNAs in the CVE Program. The NVD consumes those CVEs and enriches them with CVSS, CWE, and CPE data.
- What is the difference between CVE and NVD?
- The CVE List is the source of the identifiers and base records; the NVD is a downstream database that adds analysis such as scores and product applicability.
- Where do CVSS scores come from?
- CVSS scores can come from the assigning CNA, from the NVD's NIST analysts, and from CISA's Vulnrichment enrichment, so a single CVE may carry more than one score.
