In depth
The National Vulnerability Database (NVD) is the US National Institute of Standards and Technology (NIST) repository that takes raw CVE records published by MITRE and enriches them with the analyst-curated metadata that vulnerability-management programmes depend on: CVSS v3.1 and v4.0 base scores and vectors, CWE classifications, CPE applicability statements that name the affected products and versions, and links to vendor advisories and proof-of-concept exploit material. The enriched record is then exposed through the NVD API and bulk feeds, and is the data source under almost every commercial vulnerability scanner and SCA tool on the market.
The NVD's value lies in the analyst layer. A raw CVE record from a CNA may have a vague text description and no CPE matching; the NVD analysts then read the vendor advisory, the patch commit, the security research, and convert that into structured applicability data that lets an automated tool decide "this CVE applies to my deployed nginx 1.24.0 but not to my nginx 1.25.3." Without NVD enrichment, an SBOM-to-CVE matching pipeline produces enormous numbers of false positives because raw CVE records do not unambiguously identify affected versions.
NVD experienced a well-publicised analysis-backlog crisis in 2024 — for several months, the rate of incoming CVEs exceeded NVD's enrichment throughput, leaving thousands of CVEs with no CVSS, no CPE and no CWE. The crisis triggered ecosystem responses: GitHub Security Advisory database, OSV.dev (Google's open vulnerability database), and the EU Vulnerability Database (EUVD, operational from 2025 under ENISA) emerged as parallel sources. Modern vulnerability-management pipelines now ingest multiple sources rather than relying solely on NVD.
For practitioners, NVD remains the canonical reference for federal-procurement and regulated-industry contexts; OSV and GHSA are better for fast-moving open-source ecosystems where they often publish before NVD. Best practice is to query all three and reconcile. See VAPT services and supply chain attacks 2026.
The NVD's value lies in the analyst layer. A raw CVE record from a CNA may have a vague text description and no CPE matching; the NVD analysts then read the vendor advisory, the patch commit, the security research, and convert that into structured applicability data that lets an automated tool decide "this CVE applies to my deployed nginx 1.24.0 but not to my nginx 1.25.3." Without NVD enrichment, an SBOM-to-CVE matching pipeline produces enormous numbers of false positives because raw CVE records do not unambiguously identify affected versions.
NVD experienced a well-publicised analysis-backlog crisis in 2024 — for several months, the rate of incoming CVEs exceeded NVD's enrichment throughput, leaving thousands of CVEs with no CVSS, no CPE and no CWE. The crisis triggered ecosystem responses: GitHub Security Advisory database, OSV.dev (Google's open vulnerability database), and the EU Vulnerability Database (EUVD, operational from 2025 under ENISA) emerged as parallel sources. Modern vulnerability-management pipelines now ingest multiple sources rather than relying solely on NVD.
For practitioners, NVD remains the canonical reference for federal-procurement and regulated-industry contexts; OSV and GHSA are better for fast-moving open-source ecosystems where they often publish before NVD. Best practice is to query all three and reconcile. See VAPT services and supply chain attacks 2026.