CVE List Search Tips

Advanced Search

Searching of CVE is available on the U.S. National Vulnerability Database (NVD) where you may Search CVE by individual CVE Identifier (CVE ID) number; by operating system; by vendor name, product name, and/or version number; and by vulnerability type, severity, related exploit range, and impact.

NVD also provides fix information for CVE IDs and Security Content Automation Protocol (SCAP) Mappings for CVE IDs.

Basic Search

Searching or viewing the Master Copy of the CVE List hosted on the CVE Web site provides you with an individual CVE Identifier and/or a list of all CVE Identifiers.

Search by CVE Identifier

If you know the CVE Identifier number for a problem, search by the number to find its description.

Search by keyword

Use a keyword to search the CVE List to find the official CVE entry for a known vulnerability.

Use specific keywords

You must use very specific keywords, such as an application name, when searching CVE. For example: Sendmail, wu-ftp, ToolTalk, ps, etc.

Do not use overly general keywords

CVE is not designed like a vulnerability database, so searches for general terms like "Unix" or "buffer overflow" could give you incomplete or inaccurate results.

Search by multiple keywords

You can search by multiple keywords if the multiple keywords are separated by a space. Your results will include CVE entries that match all specified keywords. Remember to use very specific keywords and to avoid overly general keywords.

Do not search CVE by operating system

The CVE search was designed to help identify specific vulnerabilities and exposures, and not to find sets of problems that share common attributes such as operating systems. Therefore, you should not search CVE by operating system because your results will be incomplete.

Determining which entry is the one you want

Occasionally, you may get back two or more entries when performing a search for a given security problem. When this occurs it is because not enough details about the problem were originally provided, because the description includes unique details that you may not be familiar with, or because of an error in the description itself. While the description for a CVE Identifier should be able to uniquely identify a vulnerability or exposure, the descriptions are intentionally brief and in some instances you may need to rely on the accompanying references to make a determination. In addition to referring to the references, you could also search through CVE-compatible sites by specifying the CVE Identifiers that you are uncertain about.

Don't expect fix information, impact, classification, or other technical details

Such information can already be found in numerous vulnerability databases and security tool databases. CVE doesn’t have this information because CVE is intended to link these databases, not to replace them.

For additional information, refer to the FAQs and the About CVE Identifiers section of this Web site.

Page Last Updated or Reviewed: February 09, 2017