National Institute of Standards and Technology · Capability
NIST National Vulnerability Database (NVD) API
The National Vulnerability Database (NVD) API, operated by the National Institute of Standards and Technology, provides programmatic access to Common Vulnerabilities and Exposures (CVE) records, CVE change history, and Common Platform Enumeration (CPE) records. The API supports pagination, filtering, and date-range queries for vulnerability and product data.
What You Can Do
GET
Getcves
— Search CVE records
/rest/json/cves/2.0
GET
Getcvehistory
— Retrieve CVE change history
/rest/json/cvehistory/2.0
GET
Getcpes
— Search CPE records
/rest/json/cpes/2.0
MCP Tools
getcves
Search CVE records
read-only
idempotent
getcvehistory
Retrieve CVE change history
read-only
idempotent
getcpes
Search CPE records
read-only
idempotent
Capability Spec
naftiko: 1.0.0-alpha2
info:
label: NIST National Vulnerability Database (NVD) API
description: The National Vulnerability Database (NVD) API, operated by the National Institute of Standards and Technology,
provides programmatic access to Common Vulnerabilities and Exposures (CVE) records, CVE change history, and Common Platform
Enumeration (CPE) records. The API supports pagination, filtering, and date-range queries for vulnerability and product
data.
tags:
- National
- Institute
- Of
- Standards
- And
- Technology
created: '2026-05-06'
modified: '2026-05-06'
capability:
consumes:
- type: http
namespace: national-institute-of-standards-and-technology
baseUri: https://services.nvd.nist.gov
description: NIST National Vulnerability Database (NVD) API HTTP API.
resources:
- name: rest-json-cves-2-0
path: /rest/json/cves/2.0
operations:
- name: getcves
method: GET
description: Search CVE records
inputParameters:
- name: cpeName
in: query
type: string
description: Filter by specific CPE name.
- name: cveId
in: query
type: string
description: Retrieve a specific CVE by its identifier.
- name: cveTag
in: query
type: string
description: Filter by CVE tag (disputed, unsupported-when-assigned, exclusively-hosted-service).
- name: cvssV2Metrics
in: query
type: string
- name: cvssV2Severity
in: query
type: string
- name: cvssV3Metrics
in: query
type: string
- name: cvssV3Severity
in: query
type: string
- name: cvssV4Metrics
in: query
type: string
- name: cvssV4Severity
in: query
type: string
- name: cweId
in: query
type: string
description: Filter by Common Weakness Enumeration identifier.
- name: hasCertAlerts
in: query
type: boolean
- name: hasCertNotes
in: query
type: boolean
- name: hasKev
in: query
type: boolean
- name: hasOval
in: query
type: boolean
- name: isVulnerable
in: query
type: boolean
- name: kevStartDate
in: query
type: string
- name: kevEndDate
in: query
type: string
- name: keywordSearch
in: query
type: string
description: Search description text for keywords.
- name: keywordExactMatch
in: query
type: boolean
- name: lastModStartDate
in: query
type: string
description: Last modified start date (max 120-day range).
- name: lastModEndDate
in: query
type: string
- name: pubStartDate
in: query
type: string
description: Published start date (max 120-day range).
- name: pubEndDate
in: query
type: string
- name: resultsPerPage
in: query
type: integer
description: Maximum results per page (max 2000).
- name: startIndex
in: query
type: integer
description: Zero-based pagination offset.
- name: sourceIdentifier
in: query
type: string
- name: virtualMatchString
in: query
type: string
- name: versionStart
in: query
type: string
- name: versionStartType
in: query
type: string
- name: versionEnd
in: query
type: string
- name: versionEndType
in: query
type: string
- name: noRejected
in: query
type: boolean
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: rest-json-cvehistory-2-0
path: /rest/json/cvehistory/2.0
operations:
- name: getcvehistory
method: GET
description: Retrieve CVE change history
inputParameters:
- name: changeStartDate
in: query
type: string
description: Change event start date (max 120-day range).
- name: changeEndDate
in: query
type: string
- name: cveId
in: query
type: string
- name: eventName
in: query
type: string
description: Filter by event type such as CVE Received, Initial Analysis, Reanalysis, CVE Modified, Modified Analysis,
CVE Translated, Vendor Comment, CVE Source Update, CPE
- name: resultsPerPage
in: query
type: integer
description: Maximum results per page (max 5000).
- name: startIndex
in: query
type: integer
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: rest-json-cpes-2-0
path: /rest/json/cpes/2.0
operations:
- name: getcpes
method: GET
description: Search CPE records
inputParameters:
- name: cpeNameId
in: query
type: string
description: Specific CPE record UUID.
- name: cpeMatchString
in: query
type: string
- name: keywordSearch
in: query
type: string
- name: keywordExactMatch
in: query
type: boolean
- name: lastModStartDate
in: query
type: string
- name: lastModEndDate
in: query
type: string
- name: matchCriteriaId
in: query
type: string
- name: resultsPerPage
in: query
type: integer
description: Maximum results per page (default and max 10000).
- name: startIndex
in: query
type: integer
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
exposes:
- type: rest
port: 8080
namespace: national-institute-of-standards-and-technology-rest
description: REST adapter for NIST National Vulnerability Database (NVD) API.
resources:
- path: /rest/json/cves/2.0
name: getcves
operations:
- method: GET
name: getcves
description: Search CVE records
call: national-institute-of-standards-and-technology.getcves
outputParameters:
- type: object
mapping: $.
- path: /rest/json/cvehistory/2.0
name: getcvehistory
operations:
- method: GET
name: getcvehistory
description: Retrieve CVE change history
call: national-institute-of-standards-and-technology.getcvehistory
outputParameters:
- type: object
mapping: $.
- path: /rest/json/cpes/2.0
name: getcpes
operations:
- method: GET
name: getcpes
description: Search CPE records
call: national-institute-of-standards-and-technology.getcpes
outputParameters:
- type: object
mapping: $.
- type: mcp
port: 9090
namespace: national-institute-of-standards-and-technology-mcp
transport: http
description: MCP adapter for NIST National Vulnerability Database (NVD) API for AI agent use.
tools:
- name: getcves
description: Search CVE records
hints:
readOnly: true
destructive: false
idempotent: true
call: national-institute-of-standards-and-technology.getcves
with:
cpeName: tools.cpeName
cveId: tools.cveId
cveTag: tools.cveTag
cvssV2Metrics: tools.cvssV2Metrics
cvssV2Severity: tools.cvssV2Severity
cvssV3Metrics: tools.cvssV3Metrics
cvssV3Severity: tools.cvssV3Severity
cvssV4Metrics: tools.cvssV4Metrics
cvssV4Severity: tools.cvssV4Severity
cweId: tools.cweId
hasCertAlerts: tools.hasCertAlerts
hasCertNotes: tools.hasCertNotes
hasKev: tools.hasKev
hasOval: tools.hasOval
isVulnerable: tools.isVulnerable
kevStartDate: tools.kevStartDate
kevEndDate: tools.kevEndDate
keywordSearch: tools.keywordSearch
keywordExactMatch: tools.keywordExactMatch
lastModStartDate: tools.lastModStartDate
lastModEndDate: tools.lastModEndDate
pubStartDate: tools.pubStartDate
pubEndDate: tools.pubEndDate
resultsPerPage: tools.resultsPerPage
startIndex: tools.startIndex
sourceIdentifier: tools.sourceIdentifier
virtualMatchString: tools.virtualMatchString
versionStart: tools.versionStart
versionStartType: tools.versionStartType
versionEnd: tools.versionEnd
versionEndType: tools.versionEndType
noRejected: tools.noRejected
inputParameters:
- name: cpeName
type: string
description: Filter by specific CPE name.
- name: cveId
type: string
description: Retrieve a specific CVE by its identifier.
- name: cveTag
type: string
description: Filter by CVE tag (disputed, unsupported-when-assigned, exclusively-hosted-service).
- name: cvssV2Metrics
type: string
description: cvssV2Metrics
- name: cvssV2Severity
type: string
description: cvssV2Severity
- name: cvssV3Metrics
type: string
description: cvssV3Metrics
- name: cvssV3Severity
type: string
description: cvssV3Severity
- name: cvssV4Metrics
type: string
description: cvssV4Metrics
- name: cvssV4Severity
type: string
description: cvssV4Severity
- name: cweId
type: string
description: Filter by Common Weakness Enumeration identifier.
- name: hasCertAlerts
type: boolean
description: hasCertAlerts
- name: hasCertNotes
type: boolean
description: hasCertNotes
- name: hasKev
type: boolean
description: hasKev
- name: hasOval
type: boolean
description: hasOval
- name: isVulnerable
type: boolean
description: isVulnerable
- name: kevStartDate
type: string
description: kevStartDate
- name: kevEndDate
type: string
description: kevEndDate
- name: keywordSearch
type: string
description: Search description text for keywords.
- name: keywordExactMatch
type: boolean
description: keywordExactMatch
- name: lastModStartDate
type: string
description: Last modified start date (max 120-day range).
- name: lastModEndDate
type: string
description: lastModEndDate
- name: pubStartDate
type: string
description: Published start date (max 120-day range).
- name: pubEndDate
type: string
description: pubEndDate
- name: resultsPerPage
type: integer
description: Maximum results per page (max 2000).
- name: startIndex
type: integer
description: Zero-based pagination offset.
- name: sourceIdentifier
type: string
description: sourceIdentifier
- name: virtualMatchString
type: string
description: virtualMatchString
- name: versionStart
type: string
description: versionStart
- name: versionStartType
type: string
description: versionStartType
- name: versionEnd
type: string
description: versionEnd
- name: versionEndType
type: string
description: versionEndType
- name: noRejected
type: boolean
description: noRejected
outputParameters:
- type: object
mapping: $.
- name: getcvehistory
description: Retrieve CVE change history
hints:
readOnly: true
destructive: false
idempotent: true
call: national-institute-of-standards-and-technology.getcvehistory
with:
changeStartDate: tools.changeStartDate
changeEndDate: tools.changeEndDate
cveId: tools.cveId
eventName: tools.eventName
resultsPerPage: tools.resultsPerPage
startIndex: tools.startIndex
inputParameters:
- name: changeStartDate
type: string
description: Change event start date (max 120-day range).
- name: changeEndDate
type: string
description: changeEndDate
- name: cveId
type: string
description: cveId
- name: eventName
type: string
description: Filter by event type such as CVE Received, Initial Analysis, Reanalysis, CVE Modified, Modified Analysis,
CVE Translated, Vendor Comment, CVE Source Update, CPE
- name: resultsPerPage
type: integer
description: Maximum results per page (max 5000).
- name: startIndex
type: integer
description: startIndex
outputParameters:
- type: object
mapping: $.
- name: getcpes
description: Search CPE records
hints:
readOnly: true
destructive: false
idempotent: true
call: national-institute-of-standards-and-technology.getcpes
with:
cpeNameId: tools.cpeNameId
cpeMatchString: tools.cpeMatchString
keywordSearch: tools.keywordSearch
keywordExactMatch: tools.keywordExactMatch
lastModStartDate: tools.lastModStartDate
lastModEndDate: tools.lastModEndDate
matchCriteriaId: tools.matchCriteriaId
resultsPerPage: tools.resultsPerPage
startIndex: tools.startIndex
inputParameters:
- name: cpeNameId
type: string
description: Specific CPE record UUID.
- name: cpeMatchString
type: string
description: cpeMatchString
- name: keywordSearch
type: string
description: keywordSearch
- name: keywordExactMatch
type: boolean
description: keywordExactMatch
- name: lastModStartDate
type: string
description: lastModStartDate
- name: lastModEndDate
type: string
description: lastModEndDate
- name: matchCriteriaId
type: string
description: matchCriteriaId
- name: resultsPerPage
type: integer
description: Maximum results per page (default and max 10000).
- name: startIndex
type: integer
description: startIndex
outputParameters:
- type: object
mapping: $.