• CVE data is taken from APIs/feeds provided by NVD (National Vulnerability Database) and CVE.org.
  • All vendor, product and version data are taken from NVD CVE and CPE data when available from NVD, otherwise CPE data is generated based on data provided by CVE.org and automated processing or manual reviews. We do manual reviews for most CVEs except CVEs that affect products that are unlikely to be of interest to most users (e.g wordpress plugins, vulnerabilities affecting personal github projects etc).
    CPEs provided by NVD and CPEs generated by CVEdetails.com are processed to create a complete list of vendor, product and versions but data listed on this site may not be exhaustive. For example, a product may have more versions than those are listed on this site. Vendor, product, version information and related statistics are for informational purposes only and may not be fully accurate.
  • Vulnerability types/categories are determined using keyword matching and CWE numbers. Vulnerability type/category information should be used as additional information and/or hints about the nature of issues.
  • Please Note: CVE data have inconsistencies which affect accuracy of data displayed on this site. For example a single product might have been defined with several different names. If a product is defined with different names in CVE data then they will be treated as different products by this site. For example vulnerabilities related to Oracle Database 10g might have been defined for products "Oracle Database", "Oracle Database10g", "Database10g", "Oracle 10g" and similar. Or a PHP vulnerability might have been defined for Fedora Linux 10, so number of vulnerabilities or statistics are only as accurate as CVE data and are provided for informational purposes only. Please make sure that you manually verify all data before using.
    If you think that there inconsistencies or errors in data published by this site please contact us by email at admin@cvedetails.com.
  • We also collect various other types of data such as vendor advisories, code changes from various sources like RSS feeds, github repositories, third party APIs and correlate all data, allowing users to easily access relevant information.

Technical details, limitations

  • For "vulnerable products" provided by NVD, accuracy and/or completeness of the data is only as good as the data provided by NVD. For CPE information generated by CVEdetails.com, we do our best to provide accurate CPE information but sometimes when exact version information cannot be determined, we use version "0" which indicates that exact version numbers could not be determined.
  • There may be some inconsistencies in CVE data, for example some products may be listed under several names like Adobe Reader, Adobe Acrobat Reader or IE and Internet Explorer. So some of the vulnerabilities may be reported for IE while others are reported for Internet Explorer. Make sure that you manually verify that you have checked all possible names for a product.
  • Rejected CVE entries are not included in our database. Because of that, number of CVE vulnerabilities on this site and other similar web sites including NVD may be different.

CVEdetails.com specific CVE, CPE FAQ

What are the CVE data sources used by CVEdetails.com?

The main CVE data sources for CVEdetails.com are NVD CVE and CPE feeds/APIs and CVE project (CVE.org). CVEdetails.com regularly fetches new and modified data from data sources and updates its database.

How does CVEdetails.com calculate vulnerability statistics?

CVEdetails.com processes all CVE and CPE data and creates a list of all known vendor, product and versions, then calculates a list of vulnerabilities affecting each version, product and vendor.
All statistics are provided for informational purposes only. They are not guaranteed to be accurate.

How can a version, product or vendor appear to have zero vulnerabilities?

This might happen under a few circumstances, including (but may not be limited to):
  • The product/version in question was used only as a condition, e.g if X is vulnerable when used together with Y, then Y will still be in our database but won't have any vulnerabilities itself.
  • The product/version was listed as vulnerable in a CVE definition at some point but later the CVE definition was modified and the product/version is removed from the list of vulnerable items. The product/version will still remain in our database, we won't delete them just because they are no longer used in any CVE definitions.
  • The product or version was obtained from NVD CPE data which contains products and versions which don't have any known vulnerabilities.

Why is a version x.y.z of a product missing in your database?

We only have versions included in CVE and/or CPE data.

Why do you have apparently duplicate vendor/product/versions in your database?

We rely on CVE and/or CPE data, which may contain inconsistencies, for example two different vendors named "Abc project" (with a space) and "Abcproject" (without a space) might have been used at different times. These vendors are probably the same and two different entries were created probably unintentionally. But we can't know if they are the same or not for sure, so we treat them differently.

How do you categorize vulnerabilities?

CVEdetails.com assigns types/categories to vulnerabilities using CWE ids and keywords. For example if "CWE - 89 : Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" is assigned to a CVE then we assign 'sql injection' type to that CVE. Or if the CVE description contains certain keywords like "XXE" then we assign 'XXE' category to that CVE.
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!