Understanding the Differences Between NVD and CVE

Appsec Knowledge Center

Understanding the Differences Between NVD and CVE

Application Security Hero image

Summary

“The CVE vulnerability database is where vulnerabilities are first publicly recorded, but the NVD database provides additional contextual information that can help organizations understand the impact of each risk and how to remediate it”

The Common Vulnerabilities and Exposures (CVE) inventory and the National Vulnerability Database (NVD) are both valuable sources of insight into known software security vulnerabilities. But they provide different types of information – and understanding the differences between them is critical for determining whether you need CVE information, NVD data or both to address your cybersecurity needs.

Below, we discuss what CVE and NVD are, their similarities and differences, and the role that each plays in a modern cybersecurity strategy.

What is CVE?

CVE, which stands for Common Vulnerabilities and Exposures, is a public database of software security vulnerabilities. The CVE database is maintained by the MITRE Corporation, a nonprofit group that carries out government-funded cybersecurity research.

The goal of the CVE database is to provide a comprehensive list of software security flaws that have been publicly documented. Importantly, CVE doesn’t include all potential application security vulnerabilities; it only includes those that researchers have publicly disclosed and formally recorded within the CVE database. Software can be subject to security risks that are not yet publicly known.

Nonetheless, CVE is a highly valuable resource for determining whether known vulnerabilities impact software that a particular organization uses. Most vulnerability scanners rely on CVE data to determine which vulnerabilities to search for.

What is NVD?

The National Vulnerability Database, or NVD, is a repository that documents detailed information about known security vulnerabilities recorded in the CVE database. It’s maintained by the National Institute of Standards and Technology (NIST), a U.S. government agency.

The main purpose of the NVD is to provide contextual information about vulnerabilities registered by the CVE. In addition to recording CVE identifications, the NVD also includes information about the severity level of each CVE (based on its CVSS score) and which products or software versions it impacts. In some cases, the NVD includes remediation guidance as well, which developers or security analysts can use to determine how to fix a security flaw.

Because the NVD only describes vulnerabilities that have been recorded in CVE, it only covers known vulnerabilities.

Key differences between CVE and NVD

The main difference between CVE and NVD is that CVE simply lists vulnerabilities along with short descriptions, whereas NVD offers detailed information about how vulnerabilities work, which software they impact, and how to remediate them.

More specifically, key distinctions between CVE and NVD include:

  • Severity rating: Unlike CVE, NVD includes severity ratings for vulnerabilities. NVD scores vulnerability severity on a scale from 0 to 10, with higher scores reflecting more serious vulnerabilities. Severity assessments reflect factors such as how difficult it is to exploit a vulnerability and which types of harm attackers could cause.
  • Associated vendors: NVD always records any software vendors whose code is associated with a risk. CVE entries sometimes mention vendors within the vulnerability description, but CVE includes no systematic mechanism for tracking vendors.
  • Patch availability: If a patch is available for remediating a vulnerability, NVD makes note of it and typically provides a link to more information. CVE doesn’t include patch details; it just describes the vulnerability.
  • Advisories: NVD entries often link to third-party security advisories, which often provide even more details about vulnerabilities. CVE doesn’t include links to external advisories.

Identify & Mitigate the Real Risks with ASPM

Proactively and efficiently implement security at scale and reduce real business risk

Similarities between NVD and CVE

Although NVD and CVE are distinct types of resources, and NVD includes more information than CVE, the data they record does overlap to some extent. Both databases provide:

  • Vulnerability identifiers: NVD and CVE both track vulnerabilities using unique identifiers. The identifiers are assigned by CVE and are formatted as follows: CVE-2025-[sequence number]. For example, CVE-2025-23013 is a vulnerability registered in 2025.
  • Vulnerability descriptions: Descriptions, which are typically about one paragraph in length, offer a concise overview of each vulnerability.
  • CWEs: Common Weakness Enumeration, or CWE, is a description of the underlying flaw that causes a vulnerability. NVD and CVE both record CWE information.
  • CPEs: Both databases also use the Common Platform Enumeration, or CPE, which is a standardized naming system for identifying IT resources.

You can find this information in both NVD and CVE because it originates within the CVE database and is then copied into NVD when the latter imports CVE entries.

How CVE and NVD work together

CVE and NVD serve separate, but closely related purposes.

CVE is the place where basic vulnerability data first appears. Put another way, it’s where cybersecurity researchers or software vendors go when they discover a new vulnerability that they want to report to the public. After they report the issue, it receives a CVE number and appears in the CVE database.

From there, NVD imports the information about each newly discovered vulnerability from CVE, and then augments it with the additional data described above, such as severity scores. Thus, the NVD records crucial context that isn’t available from CVE entries, but CVE data serves as the foundation on which NVD entries are built.

NVD vs. CVE: What to use when

Because NVD and CVE both record all publicly known vulnerabilities, they can each support the critical task of determining whether any code within an organization’s software supply chain is subject to known vulnerabilities. For example, if a software library has been reported to be vulnerable, either database would record the issue, allowing businesses that use the library to determine that they are at risk.

However, the NVD is more useful for security teams that want to determine how best to remediate a vulnerability. It also helps to assess how much damage a vulnerability may cause if it remains unpatched. That said, it’s important to note that NVD severity scores are generic, and vulnerability exploitability can vary from one environment to another. As a result, vulnerabilities identified by NVD as severe may not actually pose a threat to a specific organization because its environment may be configured in a way that prevents the vulnerability from causing harm.

As for CVE, it offers the advantage of faster vulnerability reporting. There is a delay between when a vulnerability is first recorded in CVE and when NVD creates an entry for it. Usually, the lag is no more than an hour or two, but it can be longer in some cases – and when you’re dealing with zero-day vulnerabilities (meaning ones that attackers can exploit immediately), the faster you discover and remediate the issue, the lower your chances of a breach.

Conquering vulnerabilities with Checkmarx

When you use Checkmarx to keep your applications secure, you don’t have to worry about the differences between CVE and NVD. Checkmarx scans your applications and software supply chains for all known vulnerabilities, and then helps you assess their severity based on an evaluation customized for your environment. It also provides remediation guidance.

Checkmarx does all of this in one central platform, Checkmarx One – which means there’s no need to toggle between the CVE, NVD, and third-party sources to find and fix vulnerabilities. See for yourself by requesting a demo.