Bulk CVE data dumps

Free quarterly JSONL+gzip exports of the CVE Explore corpus, including CVSS, KEV, EPSS, products, references, and Metasploit module flags. Licensed CC-BY 4.0 — attribute CVE Explore on redistribution.

What this is

CVE Explore publishes a free quarterly export of the entire CVE corpus as newline-delimited JSON (.jsonl.gz). Each row is one CVE with description, severity, CVSS vector, CISA KEV status, FIRST.org EPSS score, affected vendors and products, external references, and Metasploit module flags. The export omits per-record raw upstream JSON (multiplies size 5-10x for limited public value) and our proof-of-concept inventory (separate concern, large, can be shipped separately on demand).

Every dump ships with a SHA-256 checksum and a sibling manifest.json describing the schema version, row count, fields list, and upstream sources. The freshest manifest is always at /api/v1/data/manifest.json; the full archive is at /api/v1/data/dumps.

License — CC-BY 4.0 (attribution required)

The export is licensed under the Creative Commons Attribution 4.0 International (CC-BY 4.0) deed. You are free to copy, redistribute, transform, and build on the data for any purpose — including commercial — provided you give appropriate credit to CVE Explore, link back to cve-explore.com, and indicate if changes were made. A reasonable attribution line is:

Data derived from CVE Explore (https://cve-explore.com), licensed CC-BY 4.0.

The upstream source-of-record for each CVE is the NVD and MITRE cvelistV5 records linked from each page; the export is a derivative aggregation, not a replacement for the upstream record.

Quarterly archive

No dumps have been generated yet. The first quarterly run produces an archive entry; check back after the next quarter boundary (00:00 UTC on Jan 1, Apr 1, Jul 1, or Oct 1).

Schema

Each line of the .jsonl.gz file is one CVE record. The object has the following keys in declaration order:

Show field reference
id
Canonical CVE identifier (e.g. CVE-2021-44228).
description
English-language description from NVD / MITRE.
published_at
When the CVE was first published, ISO-8601 UTC. Nullable.
modified_at
When the CVE record was last modified upstream, ISO-8601 UTC. Nullable.
cvss_v3_score
CVSS v3.x base score in [0.0, 10.0]. Nullable when no v3 vector is available.
cvss_v3_severity
Canonical severity bucket: NONE | LOW | MEDIUM | HIGH | CRITICAL. Empty when no v3 vector.
cvss_v3_vector
CVSS v3.x vector string. Empty when no v3 vector.
kev
True when the CVE is on the CISA Known Exploited Vulnerabilities catalog.
kev_added_at
When CISA added the CVE to the KEV catalog. Null when kev=false.
epss_score
FIRST.org EPSS probability in [0,1] of exploitation in the next 30 days. Null when not yet scored.
epss_percentile
FIRST.org EPSS percentile rank in [0,1]. Null when not yet scored.
epss_scored_at
Date FIRST.org last scored this CVE, ISO-8601 UTC. Null when not yet scored.
cwes
Array of CWE ids (e.g. ["CWE-79"]). Empty array when no classification.
products
Array of {vendor, product} objects. Empty array when no products are recorded.
references
Array of {url, tags} objects. Tags follow the NVD reference-tag taxonomy.
msf
True when at least one Metasploit module references this CVE.
msf_count
Number of Metasploit modules referencing this CVE. Zero when msf=false.

Excluded by design: the upstream raw JSON column (multiplies size 5-10x), our PoC inventory (separate concern, much larger), and internal columns (created_at, updated_at, search-outbox artifacts).

Programmatic access

The full surface is served at /api/v1/data/*:

  • GET /api/v1/data/manifest.json — the latest manifest (ETag + 304).
  • GET /api/v1/data/dumps — list of every manifest, newest first.
  • GET /api/v1/data/{slug}/manifest.json — one manifest by slug.
  • GET /api/v1/data/{slug}/cves.jsonl.gz — body download. Redirects to the public object-storage URL when S3 is configured; streams the file directly when the API is running with the local-filesystem fallback.

All four endpoints are anonymous-readable. Standard Cache-Control, ETag, and If-None-Match apply.

Upstream sources

The export is a derivative aggregation of the following public-data feeds. Re-credit each source when redistributing data that derives from it: