NVD API Version 2 changes

NVDLib version 0.7.0 and onward will be utilizing version 2 of the NVD API. All versions before 0.7.0 will utilize version 1. Version 1 of the API is planned to be decomissioned around September 2023. There has been a lot of changes in version 2 of the API. This page will describe the changes seen within NVDLib, not neccesarily the new version of the API.


For a more in-depth look at what has changed in version 2 see the NVD page here: https://nvd.nist.gov/General/News/api-20-announcements


  • No longer exists. It is now bundled into nvdlib.searchCVE() with the arguement cveId.

  • Keep in mind searchCVE will always return a list, so when using the argument cveId you must access the first element of the list.

>>> r = nvdlib.searchCVE(cveId='CVE-2021-26855')
>>> r[0].id

Or more conveniently:

>>> r = nvdlib.searchCVE(cveId='CVE-2021-26855')[0]
>>> r.id


  • Arguments now match exactly stated in NVD API documentation, instead of a shorthand. For example, version 0.6.1 used the argument keyword, it is now keywordSearch in NVDLib 0.7.0. Changes include:

    • modStartDate -> lastModStartDate

    • modEndDate -> lastModEndDate

    • keyword -> keywordSearch

    • isExactMatch -> keywordExactMatch

    • cpeMatchString -> virtualMatchString

    • sortby -> No longer exists

    • includeMatchStringChange -> No longer exists

  • Scores are now elaborated beyond 2 and 3 to include 3.1. This means the score attribute on CVEs will now prefer 3.1 CVSS scoring over 3.0 and 2.0.

>>> r[0].score
['V31', 9.8, 'CRITICAL']
  • The CVE structure has changed, meaning information you were obtaining manually previously, may be in a new location. I recommend looking at the new CVE page to get an idea of what it looks like now.

  • New parameters! Check out CVE.


  • cves parameter in nvdlib.searchCPE() no longer exists, as CPE searches cannot return CVEs anymore.

  • The same parameter changes in searchCVE are applies to nvdlib.searchCPE().

  • New parameters! Check out CPE.