NVD API 2.0
National Vulnerability Database
Stable NVD-compatible API responses for teams that need reliable vulnerability ingestion.
Providing what the NVD is lacking.
This is a fully NVD 2.0-compatible API: same endpoints, same response shape, drop-in replacement for the feed you already call. Unlike the NVD, we provide complete CVSS 3.1 and 4.0 vectors for every CVE in the database. Every product match is validated against the official CPE dictionary, resolving accurate vendor, product, and version ranges so no invented identifiers slip through. That CPE coverage is not limited to the subset the NVD has chosen to prioritize for enrichment. Every CVE gets the same treatment, including the long tail the NVD leaves blank.
The scores come from an auditable attack graph we build for each CVE (see example). We map the full attack surface, score every viable path individually, and use the highest-scoring path as the final vector, the same methodology we presented at VulnCon26 earlier this year. Every reference tied to a CVE is also individually read and tagged by type (advisory, patch, exploit, write-up, and others), so downstream tooling can filter and act on references without manual triage.
We also went further on the descriptions. Original NVD records are frequently terse, recycled from the submitter, or missing context entirely. Every CVE in our feed carries a rewritten description produced by our agents after ingesting the full reference set: advisories, patches, proof-of-concept write-ups, researcher posts. The result is a description that actually explains what the vulnerability is, what it affects, and why it matters.
"https://services.nvd.nist.gov/rest/json/cves/2.0""https://api.volerion.com/v1/nvd/rest/json/cves/2.0"One endpoint change. Full NVD 2.0 compatibility.
NIST has stopped enriching most CVEs
CVE submissions surged 263% between 2020 and 2025 and NIST can no longer keep up. Starting April 2026, only CVEs on the CISA KEV list or tied to federal software get enriched on time. Everything else is parked as not scheduled, which is the majority of the CVE stream, arriving without severity scores, without CPE data, and without the context your tools depend on.
Read the NIST announcement →
The enriched data that does exist cannot be trusted either
We spent months filing corrections to CISA Vulnrichment, the team stepping in to fill the gap left by NIST, and every single submission was accepted. Wrong attack vectors, merged scenarios, missed race conditions. This is not edge-case noise. It is systematic, and it flows directly into your dashboards, alert rules, and patch queues the moment you ingest a public feed.
Read the full analysis →“Volerion gives us what NVD can't: instant, accurate context on every CVE. With remediation steps ready to go. When Hadrian finds the risk, Volerion makes sure nobody wastes time figuring out what it means.”
Hadrian
Security vendor, Amsterdam
Is this really NVD 2.0 compatible?
Yes. Responses follow the NVD 2.0 schema, so existing parsers and tooling keep working without changes.
What do I need to change in my integration?
Only the base URL. Replace https://services.nvd.nist.gov/rest/json/cves/2.0 with https://api.volerion.com/v1/nvd/rest/json/cves/2.0.
Do I need to rewrite my parser?
No. Field shapes and semantics match NVD 2.0. Your existing parser ingests responses as-is.
Are there any rate limits?
Normal usage is covered at 2 requests per second. Higher throughput is available. Contact us to discuss your requirements.