What Is the NVD? NIST National Vulnerability Database Explained

The National Vulnerability Database (NVD) is the U.S. government’s repository of vulnerability data, maintained by the National Institute of Standards and Technology (NIST). While the CVE Program provides the universal identifier for each vulnerability, the NVD enriches that record with the severity scores, affected product data, and reference links that Mac administrators need to make patching decisions.

What the NVD Does

The NVD is not a vulnerability discovery organization. It does not find or report vulnerabilities. Instead, it takes CVE records published by MITRE and CNAs (like Apple) and adds structured analysis:

• CVSS Scores – The NVD assigns Common Vulnerability Scoring System scores to CVEs, providing the severity rating (0.0-10.0) you see in security advisories and scanning tools.
• CPE Data – Common Platform Enumeration identifiers specify exactly which products and versions are affected. For Apple vulnerabilities, this means specific macOS, iOS, and Safari versions are tagged.
• CWE Classification – Common Weakness Enumeration tags categorize the type of flaw (e.g., CWE-416 for use-after-free, CWE-787 for out-of-bounds write).
• Reference Links – Links to vendor advisories, patches, and technical writeups.

NVD vs CVE vs KEV: How They Relate

These three systems work together, each serving a distinct role:

The relationship is layered:

1. A vulnerability is assigned a CVE ID by a CNA (e.g., Apple).
2. The NVD ingests the CVE record and adds CVSS scoring, CPE data, and CWE classification.
3. If the vulnerability is confirmed to be actively exploited, CISA may add it to the KEV Catalog.

Key takeaway: CVE is the identifier, NVD is the analysis, KEV is the threat signal. You need all three for complete vulnerability intelligence.

How the NVD Enriches CVE Records

When Apple publishes a security update with a list of CVE IDs, the initial CVE records often contain only a brief description and a link to Apple’s advisory. Within hours to days, the NVD processes these records and adds:

CVSS Scoring

The NVD’s analysts evaluate each CVE and assign a Base Score. For Apple vulnerabilities, you can compare the NVD’s CVSS assessment with the severity language Apple uses in its release notes. The NVD score provides the numeric precision needed for risk-based prioritization.

CPE Matching

CPE strings identify the exact products and version ranges affected. A CPE entry for a macOS vulnerability might look like:

cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

With version constraints specifying that macOS versions before 15.3.1 are affected. This structured data enables automated vulnerability scanning tools to match CVEs to your inventory.

CWE Classification

The CWE tag reveals the root cause category of the vulnerability. Common CWE types in Apple CVEs include:

• CWE-416 – Use After Free (common in WebKit)
• CWE-787 – Out-of-bounds Write (common in kernel and media frameworks)
• CWE-200 – Exposure of Sensitive Information
• CWE-269 – Improper Privilege Management (TCC bypasses)

Searching for Apple Vulnerabilities on the NVD

Web Interface

The NVD search page at nvd.nist.gov supports filtering by keyword, CVE ID, CVSS score range, and date range. To find recent Apple vulnerabilities:

1. Navigate to the NVD vulnerability search.
2. Enter “Apple” in the keyword search or use the CPE dictionary to select Apple products.
3. Filter by date range and CVSS severity as needed.

NVD API

For automation and scripting, the NVD provides a free REST API. Mac admins can integrate this into monitoring workflows.

# Search for recent Apple macOS CVEs from the NVD API
curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=apple+macos&resultsPerPage=5" \
  | jq '.vulnerabilities[] | {
      id: .cve.id,
      published: .cve.published,
      description: .cve.descriptions[0].value,
      cvss: .cve.metrics.cvssMetricV31[0].cvssData.baseScore // "N/A"
    }'

# Look up a specific CVE with full detail
curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-31200" \
  | jq '.vulnerabilities[0].cve | {
      id: .id,
      published: .published,
      lastModified: .lastModified,
      description: .descriptions[0].value,
      cvss: .metrics.cvssMetricV31[0].cvssData | {baseScore, baseSeverity, vectorString}
    }'

Note: The NVD API is rate-limited. For unauthenticated requests, you are limited to approximately 5 requests per 30 seconds. Request a free API key from NIST to increase your rate limit to 50 requests per 30 seconds.

Filtering by CVSS Severity

# Find Critical Apple CVEs (CVSS 9.0+) published in the last 90 days
NINETY_DAYS_AGO=$(date -v-90d +%Y-%m-%dT00:00:00.000)
NOW=$(date +%Y-%m-%dT23:59:59.999)

curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=apple&cvssV3Severity=CRITICAL&pubStartDate=${NINETY_DAYS_AGO}&pubEndDate=${NOW}" \
  | jq '.vulnerabilities[] | {id: .cve.id, score: .cve.metrics.cvssMetricV31[0].cvssData.baseScore}'

NVD Processing Delays

One important caveat: the NVD does not instantly enrich every new CVE. There can be a delay between when a CVE is published and when the NVD adds CVSS scores and CPE data. During high-volume disclosure periods (such as when Apple releases a major OS update fixing dozens of CVEs), this backlog can extend to days or even weeks.

For time-sensitive patching decisions, do not wait for NVD enrichment. Use the information in Apple’s security release notes and KEV status to make initial triage decisions, then refine your assessment when NVD data becomes available.

How Full Metal Mac Uses NVD Data

The Full Metal Mac Threats page aggregates NVD data alongside CISA KEV entries to give Mac administrators a unified view of vulnerabilities affecting Apple platforms. By combining NVD severity scores with KEV exploitation status, the Threats page highlights which vulnerabilities require immediate attention and which can follow standard patching timelines.

Next Steps

• Understand how vulnerability identifiers work: What Is a CVE?
• Learn to read severity scores: Understanding CVSS Scores
• Track actively exploited vulnerabilities: Understanding CISA KEVs