Bulk CVE data dumps
Free quarterly JSONL+gzip exports of the CVE Explore corpus, including CVSS, KEV, EPSS, products, references, and Metasploit module flags. Licensed CC-BY 4.0 — attribute CVE Explore on redistribution.
What this is
CVE Explore publishes a free quarterly export of the entire CVE corpus as newline-delimited JSON (.jsonl.gz). Each row is one CVE with description, severity, CVSS vector, CISA KEV status, FIRST.org EPSS score, affected vendors and products, external references, and Metasploit module flags. The export omits per-record raw upstream JSON (multiplies size 5-10x for limited public value) and our proof-of-concept inventory (separate concern, large, can be shipped separately on demand).
Every dump ships with a SHA-256 checksum and a sibling manifest.json describing the schema version, row count, fields list, and upstream sources. The freshest manifest is always at /api/v1/data/manifest.json; the full archive is at /api/v1/data/dumps.
License — CC-BY 4.0 (attribution required)
The export is licensed under the Creative Commons Attribution 4.0 International (CC-BY 4.0) deed. You are free to copy, redistribute, transform, and build on the data for any purpose — including commercial — provided you give appropriate credit to CVE Explore, link back to cve-explore.com, and indicate if changes were made. A reasonable attribution line is:
Data derived from CVE Explore (https://cve-explore.com), licensed CC-BY 4.0.The upstream source-of-record for each CVE is the NVD and MITRE cvelistV5 records linked from each page; the export is a derivative aggregation, not a replacement for the upstream record.
Quarterly archive
No dumps have been generated yet. The first quarterly run produces an archive entry; check back after the next quarter boundary (00:00 UTC on Jan 1, Apr 1, Jul 1, or Oct 1).
Schema
Each line of the .jsonl.gz file is one CVE record. The object has the following keys in declaration order:
Show field reference
id- Canonical CVE identifier (e.g. CVE-2021-44228).
description- English-language description from NVD / MITRE.
published_at- When the CVE was first published, ISO-8601 UTC. Nullable.
modified_at- When the CVE record was last modified upstream, ISO-8601 UTC. Nullable.
cvss_v3_score- CVSS v3.x base score in [0.0, 10.0]. Nullable when no v3 vector is available.
cvss_v3_severity- Canonical severity bucket: NONE | LOW | MEDIUM | HIGH | CRITICAL. Empty when no v3 vector.
cvss_v3_vector- CVSS v3.x vector string. Empty when no v3 vector.
kev- True when the CVE is on the CISA Known Exploited Vulnerabilities catalog.
kev_added_at- When CISA added the CVE to the KEV catalog. Null when kev=false.
epss_score- FIRST.org EPSS probability in [0,1] of exploitation in the next 30 days. Null when not yet scored.
epss_percentile- FIRST.org EPSS percentile rank in [0,1]. Null when not yet scored.
epss_scored_at- Date FIRST.org last scored this CVE, ISO-8601 UTC. Null when not yet scored.
cwes- Array of CWE ids (e.g. ["CWE-79"]). Empty array when no classification.
products- Array of {vendor, product} objects. Empty array when no products are recorded.
references- Array of {url, tags} objects. Tags follow the NVD reference-tag taxonomy.
msf- True when at least one Metasploit module references this CVE.
msf_count- Number of Metasploit modules referencing this CVE. Zero when msf=false.
Excluded by design: the upstream raw JSON column (multiplies size 5-10x), our PoC inventory (separate concern, much larger), and internal columns (created_at, updated_at, search-outbox artifacts).
Programmatic access
The full surface is served at /api/v1/data/*:
GET /api/v1/data/manifest.json— the latest manifest (ETag + 304).GET /api/v1/data/dumps— list of every manifest, newest first.GET /api/v1/data/{slug}/manifest.json— one manifest by slug.GET /api/v1/data/{slug}/cves.jsonl.gz— body download. Redirects to the public object-storage URL when S3 is configured; streams the file directly when the API is running with the local-filesystem fallback.
All four endpoints are anonymous-readable. Standard Cache-Control, ETag, and If-None-Match apply.
Upstream sources
The export is a derivative aggregation of the following public-data feeds. Re-credit each source when redistributing data that derives from it: