CVEProject / cvelistV5

>**Note 2026-2-17 Adding Additional day of processing for date normalization to addreess potential inconsistencies** > New Date Normalization schedule: (2/16/26 - 2/28/26) > >**Note 2026-2-10 Record Date Normalization file change** >The deltaLog.json file normally retains a rolling 30 days worth of CVE record modification history. However, for the duration of the **Date Normalization process (2/16/26 - 2/28/26)**, the deltaLog.json file will temporarily only retain 15 days worth of history. As a significant number of records will be modified, this will limit the deltaLog.json file size. During this process, the file size will be monitored to see if the number of days stored needs to be further reduced to stay under the size limit. Please note, the full history of the deltaLog file is viewable in the Git history. Once the Date Normalization process is complete, the log file will be set to once again store 30 days worth of history. >**Note 2025-10-29 CVE Record Format Version 5.2.0 update as of Wednesday 10/29 at 10:30 AM EST; Supporting Package URL (PURL) identifiers:** This update to the CVE Record Format (to version 5.2.0) introduces "non breaking" changes to include: > - Adding support for PURL identifiers using the packageURL propertiy with the affected array items > - Adding additionaProperites equal to false for the affected array items. > - Updating example records CVE Records (including a PURL example) > - Adding Documentation and infrastructure improvemente preparing to better support future CVE Record Format updates. > > For more details see: > - The CVE Program general announcement > - The CVE Record Format 5.2.0 Release notes > - The CVE Services 2.6.0 Release Notes >**Note 2024-12-4 CVE REST Services was updated to use the CVE Record Format Schema 5.1.1 on Wednesday 12/4 at 4.00PM EST:** This update introduces “non breaking” changes containing new features that some CNAs may be interested in using in the future (see CVE Record Format version 5.1.1 Release notes. As a fully backwards compatible update (meaning that all previously published CVE Records will validate using this schema), most users will see no operational impact as a result of this change. This schema defines the data format for CVE Records, regardless of whether they were published before or after December 4. >**Note 2024-09-17 CVE Repository Historical Record Correction:** CVE Records originally published prior to 2023 with incorrect Reserved/Published/Update dates have been corrected. This action corrected approximately 27,000 records that had been assigned incorrect Reserved, Published, or Updated dates as part of JSON 5.0 CVE Record adoption. > **Note 2024-07-31 CVE Records may now contain a new container called the *CVE Program Container***: This new container provides additional information added by the CVE Program to include Program-added references. Users of this repository may need to process two containers. See below for more information. > **Note 2024-05-08 5:30pm**: CVE REST Services was updated to the CVE Record Format Schema 5.1 on 2024-05-08 at 5:30pm EDT. With this update, a CVE Record in this repository may now be either a 5.0 or a 5.1 formatted record. The format is reflected in the "dataversion" field. Users of this repository who "validate" CVE Records are advised to validate records by using the appropriate version of the schema (i.e., 5.0 or 5.1) as reflected in this field. Users should not determine which schema to use based on the deployment date of the new format (i.e., 2024-05-08 at 5:30pm EDT) as there are inconsistencies in published/updated date values. > CVE List V5 This repository is the official CVE List. It is a catalog of all CVE Records identified by, or reported to, the CVE Program. This repository hosts downloadable files of CVE Records in the CVE Record Format (view the schema). They are updated regularly (about every 7 minutes) using the official CVE Services API. You may search, download, and use the content hosted in this repository, per the CVE Program Terms of Use. **Legacy Format Downloads No Longer Supported**—All support for the legacy CVE content download formats (i.e., CSV, HTML, XML, and CVRF) ended on June 30, 2024. These legacy download formats, which will no longer be updated and were phased out over the first six months of 2024, have been replaced by this repository as the only supported method for CVE Record downloads. Learn more here. CVE Record Containers CVE Records may now consist of multiple containers: • A CNA container • The CVE Program Container • Optional multiple ADP-specific containers CVE Program Container All CVE Program-added references after 7/31/2024 for a CVE Record will be stored in the CVE Program Container of that Record. CNA-provided references will continue to be stored in the CNA Container. The CVE Program Container is implemented in an ADP container format in the CVE Record. Specific JSON/CVE Record fields that will be in the CVE Program Container are as follows: • adp:title field: "**CVE Program Container**" • adp:providerMetadata:shortName:"**CVE**" • adp:references field as described here References in the CVE Program Container maintain the same format as references in a CNA Container. The CVE Program container may contain references that have the *x_transferred* tag. References with this tag were read from the CNA container on 7/31/2024. This is a "one time" copy to maintain the "state" of the CNA reference list as of 7/31/2024. CVE Program-added references after this date will not have the *x_transfered" tag. In the case of new CVE records created after 7/31/2024, if no Program provided enriched data is added, there will be no CVE Program Container associated with the CVE Record. Implementation Considerations: *Required Containers processing:* After 7/31//2024, to retrieve all information about a reported vulnerability in the CVE Repository, tool vendors and community users will need to examine the CVE Record CN…