CVE List Search Tips

Tips for searching the CVE List hosted on this website are included below.

Advanced searching of enhanced CVE List content is available via the U.S. National Vulnerability Database (NVD), which is based upon and synchronized with the CVE List.

Basic Search of CVE List

Searching the CVE List provides you with an individual CVE Entry and/or a list of all CVE Entries.

Search by CVE ID

If you know the CVE ID number for a problem, search by the number to find its description.

Search by keyword

Use a keyword to search the CVE List to find the official CVE Entry for a known vulnerability.

Use specific keywords

You must use very specific keywords, such as an application name, when searching the CVE List. For example: Sendmail, wu-ftp, ToolTalk, ps, etc.

Do not use overly general keywords

CVE is not designed like a vulnerability database, so searches for general terms like "Unix" or "buffer overflow" could give you incomplete or inaccurate results.

Search by multiple keywords

You can search by multiple keywords if the multiple keywords are separated by a space. Your results will include CVE Entries that match all specified keywords. Remember to use very specific keywords and to avoid overly general keywords.

Do not search CVE by operating system

The CVE search was designed to help identify specific vulnerabilities and exposures, and not to find sets of problems that share common attributes such as operating systems. Therefore, you should not search CVE by operating system because your results will be incomplete.

Determining which entry is the one you want

Occasionally, you may get back two or more entries when performing a search for a given security problem. When this occurs, it is because not enough details about the problem were originally provided, because the description includes unique details that you may not be familiar with, or because of an error in the description itself. While the description for a CVE Entry should be able to uniquely identify a vulnerability or exposure, the descriptions are intentionally brief, and in some instances you may need to rely on the accompanying references to make a determination. In addition to referring to the references, you could also search through CVE-compatible sites by specifying the CVE Entries that you are uncertain about.

Don't expect fix information, impact, classification, or other technical details

Such information can already be found in numerous vulnerability databases and security tool databases. CVE doesn’t have this information because CVE is intended to link these databases, not to replace them.