NVD API 2.0
NVD API Replacement Documentation
Drop-in compatible with the NVD CVE API 2.0 specification. Point your existing client at our base URL and it works without further changes.
Need the setup path first? Read the getting started guide or the migration rationale.
https://api.volerion.com/v1Authentication
All requests to /v1/nvd/* routes require an API key passed via the apiKey request header. This matches the credential convention used by nvd.nist.gov, so existing NVD clients require no modification beyond updating the base URL.
Obtain your key from the API Keys tab. Trial keys are available, and all requests, including trial requests, must include a valid key.
apiKey: YOUR_API_KEY Accept: application/json
/nvd/rest/json/cves/2.0Query Volerion CVE intelligence in NVD format. Returns a paginated list of CVEs matching the given filters.
Parameters
| Name | Type | Description |
|---|---|---|
| cveId | string | Filter by a specific CVE identifier, e.g. CVE-2025-4123. |
| cveIds | string[] | Filter by a comma-separated list of CVE identifiers. |
| vulnStatuses | string[] | Filter by one or more vulnerability statuses. |
| sourceIdentifier | string | Filter by source identifier, such as a CNA or analysis source email. |
| noRejected | boolean | Exclude records with a rejected vulnerability status when true. |
| cvssV3Metrics | string | Filter by a CVSS v3.x vector expression. |
| cvssV4Metrics | string | Filter by a CVSS v4.0 vector expression. |
| cweId | string | Filter by CWE identifier. |
| cpeName | string | Filter by CPE name. |
| isVulnerable | boolean | Restrict results to vulnerable CPE matches when true. |
| hasKev | boolean | Filter for CVEs that are present in the Known Exploited Vulnerabilities catalog. |
| kevStartDate | string | ISO 8601 start date for the KEV date range. |
| kevEndDate | string | ISO 8601 end date for the KEV date range. |
| keywordSearch | string | Free-text keyword search across CVE content. |
| keywordExactMatch | boolean | Require exact keyword matching when true. |
| resultsPerPage | integer | Number of results to return per page. |
| startIndex | integer | Zero-based offset for pagination. |
| pubStartDate | string | ISO 8601 start date for the CVE publication date range. |
| pubEndDate | string | ISO 8601 end date for the CVE publication date range. |
| lastModStartDate | string | ISO 8601 start date for the last-modified date range. |
| lastModEndDate | string | ISO 8601 end date for the last-modified date range. |
curl -X GET "https://api.volerion.com/v1/nvd/rest/json/cves/2.0?cveId=CVE-2025-4123" -H "apiKey: YOUR_API_KEY" -H "Accept: application/json"
{ "resultsPerPage": 20, "startIndex": 0, "totalResults": 1, "format": "NVD_CVE", "version": "2.0", "timestamp": "2026-06-07T22:23:30.167263963Z", "vulnerabilities": [ { "cve": { "id": "CVE-2025-4123", "sourceIdentifier": "security@grafana.com", "published": "2025-05-22T08:15:52.72Z", "lastModified": "2025-06-09T19:46:32.387074Z", "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A cross-site scripting (XSS) vulnerability has been identified in Grafana..." } ], "metrics": { "cvssMetricsV40": [ { "source": "contact@volerion.com", "type": "Primary", "cvssData": { "version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/S:X/AU:N/R:X/V:C/RE:M/U:X", "baseScore": 5.3 } } ], "cvssMetricsV31": [ { "source": "contact@volerion.com", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1 } }, { "source": "nvd@nist.gov", "type": "Secondary", "cvssData": { "version": "3.1",
Volerion injections
We proxy the NVD response and enrich it with our own analysis. For CVEs we have analysed, we inject our objects as type: "Primary" so every entry has complete coverage, including records not yet fully scored by NVD. Volerion-analyzed entries carry vulnStatus: "Analyzed" and all injected objects have their source set to contact@volerion.com.
When CNA or NVD (NIST) data is present, we keep that data in the same response astype: "Secondary". This guarantees full coverage without withholding any already-available public information in the record.
Our analysis is derived from authoritative sources and the conclusions are backed by a scoring harness we presented at FIRST VulnCon26.
Injected fields
- Description / executive summary
- CVSS 3.1 score and vector
- CVSS 4.0 score and vector
- Configurations (dictionary-validated CPEs and version ranges)
- Reference tags
Coverage
Volerion analysis covers CVEs published from 2025 onwards. For older CVEs, the NVD response is proxied as-is to preserve full API compatibility.
{ "id": "CVE-2025-4123", "vulnStatus": "Analyzed", "metrics": { "cvssMetricsV40": [ { "source": "contact@volerion.com", "type": "Primary", "cvssData": { "version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/..." } } ] } }
Limitations
Only the parameters listed above are currently supported. Some metadata fields provided by NIST may not be present in responses — review the response model above for the full set of available properties.
If you need additional NVD parameters or fields, contact us and we can prioritize them.
cvssV2Severity cvssV3Severity
cvssV4Severity virtualMatchString
hasCertAlerts hasCertNotes
hasOval