What is this CVE?

Every publicly disclosed software vulnerability gets a CVE identifier (Common Vulnerabilities and Exposures, format CVE-YYYY-NNNNN) and is cataloged by NIST’s National Vulnerability Database (NVD). NVD enriches each CVE with a CVSS severity score, a list of affected products in CPE format, and links to the underlying advisories. This page is a focused lens on that data: paste an ID, see what matters.

Severity bands

• Critical — CVSS 9.0–10.0. Remote, unauthenticated, with high impact. Patch immediately.
• High — CVSS 7.0–8.9. Significant impact or low attack complexity. Patch on the next maintenance window.
• Medium — CVSS 4.0–6.9. Limited impact or partial mitigations available.
• Low — CVSS 0.1–3.9. Minor impact, narrow exploit conditions.
• None — CVSS 0.0, or analysis not yet completed by NVD.

Known to be actively exploited

When CISA observes a CVE being used in real-world attacks, it adds the entry to its Known Exploited Vulnerabilities catalog and federal civilian agencies are mandated to remediate by a deadline under BOD 22-01. That signal flows back into the NVD record and is shown as a red banner above the CVSS block when present. Absence of the banner is not a guarantee of safety — it just means CISA hasn’t flagged this one yet.

Where this data comes from

Lookups go directly from your browser to services.nvd.nist.gov. No proxy, no cache layer, no third party in between. NVD’s API is public-domain US Government work and explicitly permits commercial reuse. Anonymous use is rate-limited to roughly five requests per thirty seconds, which comfortably covers single-user browsing.

What is intentionally excluded

• Vendor-specific threat-intelligence overlays or proprietary scoring.
• Email or push notifications. NVD publishes its own RSS feed if you want one.
• Editorial commentary on whether a particular CVE matters to you — read the references.
• Reordering by anything other than NVD’s own publish date or CVSS score.