CVE List Search Tips

Tips for searching the CVE List hosted on this website are included below.

Other free CVE List search resources are also available.

As part of it’s enhanced CVE List content, the U.S. National Vulnerability Database (NVD) provides advanced searching features such as by OS; by vendor name, product name, and/or version number; and by vulnerability type, severity, related exploit range, and impact.


Basic Search of CVE List

Searching the CVE List provides you with an individual CVE Entry and/or a list of all CVE Entries.

Search by CVE ID

If you know the CVE ID number for a problem, search by the number to find its description.

Search by keyword

Use a keyword to search the CVE List to find the official CVE Entry for a known vulnerability.

Use specific keywords

You must use very specific keywords, such as an application name, when searching the CVE List. For example: Sendmail, wu-ftp, ToolTalk, ps, etc.

Do not use overly general keywords

CVE is not designed like a vulnerability database, so searches for general terms like "Unix" or "buffer overflow" could give you incomplete or inaccurate results.

Search by multiple keywords

You can search by multiple keywords if the multiple keywords are separated by a space. Your results will include CVE Entries that match all specified keywords. Remember to use very specific keywords and to avoid overly general keywords.

Do not search CVE by operating system

The CVE search was designed to help identify specific vulnerabilities and exposures, and not to find sets of problems that share common attributes such as operating systems. Therefore, you should not search CVE by operating system because your results will be incomplete.

Determining which entry is the one you want

Occasionally, you may get back two or more entries when performing a search for a given security problem. When this occurs, it is because not enough details about the problem were originally provided, because the description includes unique details that you may not be familiar with, or because of an error in the description itself. While the description for a CVE Entry should be able to uniquely identify a vulnerability or exposure, the descriptions are intentionally brief, and in some instances you may need to rely on the accompanying references to make a determination. In addition to referring to the references, you could also search through CVE-compatible sites by specifying the CVE Entries that you are uncertain about.

Don't expect fix information, impact, classification, or other technical details

Such information can already be found in numerous vulnerability databases and security tool databases. CVE doesn’t have this information because CVE is intended to link these databases, not to replace them.

Other CVE List Search Resources

Other organizations also offer free search resources for the CVE List.

GitHub

Because the CVE Program currently synchronizes the CVE List with a GitHub repository, all of GitHub’s search features can be used. Their documentation is available here:

https://help.github.com/en/articles/searching-code
https://help.github.com/en/articles/understanding-the-search-syntax

Please note that you must be signed into a GitHub user account; otherwise, the search capabilities are very limited and are unlikely to help you in discovering CVE Entries.

In general, you should use the “GitHub Advanced Search” page and search only the CVEProject/cvelist repository.

EXAMPLE 1:

A person wishes to discover CVE Entries related to WordPress, but exclude WordPress plugins and themes.

  1. Go to: https://github.com/search/advanced?type=Code
  2. Enter “WordPress NOT plugin NOT theme repo:CVEproject/cvelist extension:json” without the quote marks in the “Advanced Search” box at the top of the page, and click the search button.

EXAMPLE 2:

A person wishes to discover CVE Entries related to use of Apple’s iOS operating system, and exclude Cisco’s IOS operating system.

  1. Go to: https://github.com/search/advanced?type=Code
  2. Enter “iOS NOT Cisco repo:CVEproject/cvelist extension:json” without the quote marks in the “Advanced Search” box at the top of the page, and click the search button.

CIRCL

CIRCL also offers CVE search services, including a local search that requires a local installation of the MongoDB software. See:

https://www.circl.lu/services/cve-search/
https://www.cve-search.org/

Page Last Updated or Reviewed: September 04, 2019