CVEs Integration Guide
Overview
The CVEs integration allows your NINA workflows to connect with the CVEs API for searching and retrieving information about Common Vulnerabilities and Exposures (CVEs) and Common Platform Enumerations (CPEs). This integration enables you to search for vulnerabilities based on various criteria, including keywords, CVSS scores, publication dates, affected technologies, and specific CVE IDs.
This integration is particularly valuable for security operations, vulnerability management, and threat assessment workflows. It provides a streamlined way to incorporate CVE and CPE data into your automated security processes.
Credential Configuration
Before using the CVEs integration in your workflows, you need to configure credentials for authentication.
Authentication Method
The CVEs integration uses API Key authentication:
| Field | Description | Example |
|---|---|---|
| Domain | CVEs API base URL | https://cves-api.example.com |
| API Key | API key for authentication | a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6 |
| Auth Type | Authentication type | apiKey |
How to get your API Key:
- Contact your organization's security team or administrator for access to the CVEs API
- Request an API key for the CVEs service
- Obtain the base URL for the CVEs API endpoint
Creating a CVEs Credential
-
Navigate to the Credentials section in NINA
-
Click Add New Credential
-
Fill in the credential details:
- Name: A descriptive name (e.g., "CVEs API Production")
- Description: Optional details about the credential's purpose
- Integration Service: Select "CVES API"
- Auth Type: "API Key" (this should be automatically selected)
- Domain: Enter the CVEs API base URL
- API Key: Enter your CVEs API key
-
Click Test Connection to verify credentials
-
Click Save to store the credential
Supported Resources and Operations
The CVEs integration supports the following resources and operations:
CVEs
| Operation | Description |
|---|---|
| Search | Searches for CVEs based on keywords, CVSS scores, dates, and other criteria |
| Search by Technologies | Searches for CVEs affecting specific technologies |
CPEs
| Operation | Description |
|---|---|
| Search | Searches for CPEs (Common Platform Enumerations) based on various criteria |
Parameter Merging
The CVEs integration takes advantage of NINA's parameter merging capabilities:
Parameter Sources (in order of precedence)
- Node Parameters: Parameters configured directly in the CVEs Integration Node
- Extracted Parameters: Parameters automatically extracted from the input data
- Input Data: The complete input data from upstream nodes
When a CVEs Integration Node executes:
- It combines parameters from all sources
- Node parameters take precedence over extracted parameters
- The combined parameters are used to execute the CVEs operation
Example: Searching CVEs
Basic CVE Search
Below is an example of searching for CVEs based on keywords.
Node Configuration:
{
"resource": "cves",
"operation": "search",
"parameters": {
"keywords": ["remote code execution", "apache"],
"minCVSS": 7.0,
"pagination": {
"from": 1,
"size": 50
}
}
}
This will search for CVEs related to "remote code execution" and "apache" with a CVSS score of at least 7.0, returning up to 50 results.
Searching for Specific CVE IDs
You can search for specific CVEs by their IDs:
Node Configuration:
{
"resource": "cves",
"operation": "search",
"parameters": {
"cve_ids": ["CVE-2022-22965", "CVE-2021-44228", "CVE-2021-45046"]
}
}
This will retrieve detailed information for the specified CVEs.
Searching CVEs with Date Filters
You can narrow down your search by specifying date ranges:
Node Configuration:
{
"resource": "cves",
"operation": "search",
"parameters": {
"fromDate": 1609459200, // January 1, 2021 (Unix timestamp)
"toDate": 1640995199, // December 31, 2021 (Unix timestamp)
"pagination": {
"from": 1,
"size": 100
},
"minCVSS": 9.0,
"minEPSS": 0.95,
"onlyInCISAKEV": true,
"cvssV3VectorParts": ["AV:N", "PR:N"]
}
}
This search looks for CVEs that:
- Were reported during 2021
- Have a CVSS score of 9.0 or higher.
- Have an EPSS score of 0.95 or higher (high probability of exploitation).
- Are present in the CISA Known Exploited Vulnerabilities (KEV) catalog.
- Are network-accessible (
AV:N) and require no user privileges (PR:N).
Searching for Exploitable CVEs
You can focus on CVEs that have known exploits from specific sources.
Node Configuration:
{
"resource": "cves",
"operation": "search",
"parameters": {
"minCVSS": 8.0,
"onlyHasExploits": true,
"exploit_sources": ["exploit-db", "metasploit"],
}
}
This will search for Windows buffer overflow vulnerabilities with a CVSS score of at least 8.0 that have known exploits from Exploit-DB or Metasploit.
Example: Searching CVEs by Technologies
The CVEs integration allows you to search for vulnerabilities affecting specific technologies and versions. This is particularly useful for identifying vulnerabilities in your technology stack.
Basic Technology Search
Node Configuration:
{
"resource": "cves",
"operation": "search-by-technologies",
"parameters": {
"technologies": [
"nginx:1.18.0",
"php:7.4.16",
"mysql:5.7"
],
"minCVSS": 5.0
}
}
This will search for CVEs affecting NGINX 1.18.0, PHP 7.4.16, or MySQL 5.7 with a CVSS score of at least 5.0.
Technology Search with Additional Filters
You can combine technology filters with other parameters:
Node Configuration:
{
"resource": "cves",
"operation": "search-by-technologies",
"parameters": {
"technologies": [
"windows:10",
"edge:91.0.864.37"
],
"minCVSS": 7.0,
"fromDate": 1640995200, // January 1, 2022 (Unix timestamp)
"onlyHasExploits": true,
"exploit_sources": ["exploit-db", "metasploit"]
}
}
This will search for CVEs affecting Windows 10 or Edge 91.0.864.37 from 2022 onwards, with a CVSS score of at least 7.0 and that have known exploits from specific sources.
Searching for Technologies with No Specific Version
If you want to search for vulnerabilities affecting a technology regardless of version, you can use "N/A" as the version:
Node Configuration:
{
"resource": "cves",
"operation": "search-by-technologies",
"parameters": {
"technologies": [
"apache:N/A",
"tomcat:N/A"
],
"minCVSS": 6.0
}
}
This will search for CVEs affecting Apache or Tomcat (any version) with a CVSS score of at least 6.0.
Example: Searching CPEs
The CVEs integration also supports searching for CPEs (Common Platform Enumerations), which are standardized identifiers for IT products and platforms.
Basic CPE Search by Vendor and Product
Node Configuration:
{
"resource": "cpes",
"operation": "search",
"parameters": {
"vendor": "microsoft",
"product": "windows",
"version": "10",
"includeCVEs": true,
"onlyVulnerable": true,
"pagination": {
"from": 1,
"size": 50
}
}
}
This will search for Microsoft Windows 10 CPEs, including only those with known vulnerabilities and their associated CVEs.
CPE Search by WFN (Well-Formed Name)
You can also search using WFN format:
Node Configuration:
{
"resource": "cpes",
"operation": "search",
"parameters": {
"wfn": [
"cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*",
"cpe:2.3:a:nginx:nginx:*:*:*:*:*:*:*:*"
],
"includeCVEs": true,
"onlyVulnerable": true
}
}
This will search for Apache HTTP Server and NGINX CPEs using WFN format, including only vulnerable ones with their CVEs.
Response Structure
CVE Search Operation Response
The response from a CVE search operation is an array of CVE objects. The API provides comprehensive details for each vulnerability.
[
{
"cve_id": "CVE-2025-47916",
"description": "Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings...",
"cvss_score": 10,
"published_date": 1747353600,
"updated_date": 1747458189,
"nist_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47916",
"epss_score": 0.8791,
"cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"executive_summary": "{\"patch\": \"Upgrade to Invision Community version 5.0.7 or later\", ...}",
"cpes": [
{
"cpe": "cpe:2.3:a:invisioncommunity:invisioncommunity:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.0.0",
"versionEndExcluding": "5.0.7"
}
],
"cwes": [
{
"cwe_id": "CWE-1336",
"name": "Improper Neutralization of Special Elements Used in a Template Engine"
},
{
"cwe_id": "CWE-94",
"name": "Improper Control of Generation of Code ('Code Injection')"
}
],
"references": [
"https://github.com/rapid7/metasploit-framework/blob/28b7c7f786dc6126a2b54685253e74a19bb5bb43/modules%2Fexploits%2Fmulti%2Fhttp%2Finvision_customcss_rce.rb",
"https://karmainsecurity.com/KIS-2025-02"
],
"exploits": [
{
"cve_id": "CVE-2025-47916",
"source": "github",
"path": "https://github.com/user/repo/..."
}
]
}
]
Note: The executive_summary is a JSON string containing detailed analysis. Exploits, CPEs, CWEs and references(non-exploit references: advisories, patches, analysis, etc) are included when available.
Here is an example of an executive_summary:
{
"description": "Microsoft Windows 2000, XP, and possibly 2003 allows local users with the SeDebugPrivilege privilege to execute arbitrary code as kernel and read or write kernel memory via the NtSystemDebugControl function, which does not verify its pointer arguments...",
"exploitation": "There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.",
"impact": "If exploited, this vulnerability could allow an attacker with local access and the SeDebugPrivilege to execute arbitrary code with kernel-level privileges...",
"patch": "A patch is available. The Security Focus website (www.securityfocus.com) has information about the patch, which was added on April 6, 2022.",
"mitigation": "1. Apply the available patch from the Security Focus website as soon as possible...",
"processing_time_s": 8.292251
}
Search by Technologies Operation Response
The search-by-technologies operation returns technology objects with their associated CVEs:
{
"data": [
{
"technology": "nginx:1.18.0",
"cves": [
{
"id": "CVE-2021-23017",
"summary": "Nginx resolver vulnerability...",
"cvss": {
"score": 8.6,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"
},
"has_exploits": false,
"published_date": "2021-05-25T10:15:30Z"
}
]
},
{
"technology": "php:7.4.16",
"cves": [
// CVEs affecting PHP 7.4.16
]
}
// More technology groups...
]
}
CPE Search Operation Response
The CPE search operation returns pagination information and CPE data. The response structure varies based on whether CVE information is included:
Without CVE Information (includeCVEs: false)
{
"total": 45,
"cpes": [
"cpe:2.3:a:microsoft:windows:10:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:nginx:nginx:1.18.0:*:*:*:*:*:*:*"
// More CPE strings...
]
}
With CVE Information (includeCVEs: true)
{
"total": 145,
"cpes": [
"cpe:2.3:a:microsoft:windows:10:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*"
// More CPE strings...
],
"cves": [
{
"cve_id": "CVE-2022-30190",
"description": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability",
"cvss_score": 7.8,
"published_date": 1653422400,
"updated_date": 1653508800,
"nist_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30190",
"cpes": [
{
"cpe": "cpe:2.3:a:microsoft:windows:10:*:*:*:*:*:*:*",
"versionStartIncluding": "10.0.19041",
"versionEndIncluding": "10.0.19044",
}
],
}
// More CVE objects...
]
}
Important Note about CPE Response Counting:
- When
includeCVEsisfalse: Thetotalcount represents unique CPE strings - When
includeCVEsistrue: Thetotalcount represents CPE-CVE associations (a single CPE may be associated with multiple CVEs, increasing the count)
CPE Search Parameters and WFN Usage
Well-Formed Name (WFN) Format
When using WFN (Well-Formed Name) format for CPE searches, you must provide the complete 13-part CPE string:
cpe:2.3:<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_software>:<target_hardware>:<other>
Important WFN Requirements:
- Complete Format Required: If you use WFN, you must specify all 13 parts of the CPE string
- Mutually Exclusive: WFN parameters cannot be used together with individual component parameters (vendor, product, version)
- Use Wildcards: Use
*for any parts you want to match broadly
WFN Examples:
{
"resource": "cpes",
"operation": "search",
"parameters": {
"wfn": [
"cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:nginx:nginx:*:*:*:*:*:*:*:*"
],
"includeCVEs": true
}
}
Smart Version Filtering
The CVE API implements intelligent version filtering that works in sophisticated ways:
Version Matching Logic
When you specify a version in your search (either via the version parameter or within a WFN), the system:
- Exact Version Matches: Finds CPEs with the exact version specified
- Wildcard Version Matches: Finds CPEs with version
*that have version ranges covering your specified version - Range-based Filtering: Uses
versionStartIncluding,versionStartExcluding,versionEndIncluding, andversionEndExcludingof our cpe-cve database to determine if your version falls within vulnerable ranges
Example of Smart Version Filtering
If you search for apache:tomcat:8.5.5:
{
"resource": "cpes",
"operation": "search",
"parameters": {
"vendor": "apache",
"product": "tomcat",
"version": "8.5.5",
"includeCVEs": true
}
}
The system will return:
- CPEs with exactly
version: "8.5.5" - CPEs with
version: "*"where8.5.5falls within the specified version ranges - For example, a CPE with
version: "*",versionStartIncluding: "8.5.0", andversionEndIncluding: "8.5.10"would match
Integration in Workflow Context
The CVEs integration is particularly powerful when combined with other nodes in a workflow:
Common Workflow Patterns:
-
Technology Stack Vulnerability Assessment:
- Script Node (inventory of technologies) → CVEs Integration Node (search-by-technologies) → Script Node (process results) → Report Node (generate vulnerability report)
-
Security Alert Enrichment:
- Security Alert Node → Script Node (extract vulnerability identifiers) → CVEs Integration Node (search) → Slack Integration Node (post enriched alert)
-
Exploitable Vulnerability Monitoring:
- Schedule Node → CVEs Integration Node (search with onlyHasExploits=true) → Filter Node (high severity only) → Email Node (send notifications)
-
Patch Prioritization:
- Input Node (scan results) → Script Node (extract technology versions) → CVEs Integration Node (search-by-technologies) → Script Node (calculate risk scores) → Jira Integration Node (create tickets)
Available Parameters
CVE Search Parameters
| Parameter | Type | Description | Required | Default |
|---|---|---|---|---|
cve_ids | array | List of specific CVE IDs to search for | No | - |
keywords | array | Keywords to search for (AND logic) | No | - |
minCVSS | number | Minimum CVSS score (e.g., 7.5) | No | - |
fromDate | number | Published after this date (Unix timestamp) | No | - |
toDate | number | Published before this date (Unix timestamp) | No | - |
onlyHasExploits | boolean | Only return CVEs with known exploits | No | false |
exploit_sources | array | If only_has_exploits is true, returns CVEs with exploits from these sources (e.g., ["metasploit", "github"]) | No | - |
minEPSS | number | Minimum EPSS score (e.g., 0.8) | No | - |
onlyPatched | boolean | Only return CVEs marked as patched | No | false |
onlyNotPatched | boolean | Only return CVEs marked as not patched | No | false |
onlyInCISAKEV | boolean | Only return CVEs in the CISA KEV catalog | No | false |
cisaKevFromDate | number | CISA KEV added after this date (Unix timestamp) | No | - |
cisaKevToDate | number | CISA KEV added before this date (Unix timestamp) | No | - |
cvssV3VectorParts | array | Filter by parts of a CVSS v3 vector (e.g., ["AV:N", "PR:L"]) | No | - |
pagination | object | Pagination settings (from, size) | No | {"from":1, "size":20} |
CVE Search by Technologies Parameters
| Parameter | Type | Description | Required | Default |
|---|---|---|---|---|
technologies | array | Technology strings in "name:version" format | Yes | - |
minCVSS | number | Minimum CVSS score | No | - |
fromDate | number | Published after this date (Unix timestamp) | No | - |
toDate | number | Published before this date (Unix timestamp) | No | - |
onlyHasExploits | boolean | Only return CVEs with known exploits | No | false |
exploit_sources | array | If only_has_exploits is true, returns CVEs with exploits from these sources | No | - |
CPE Search Parameters
| Parameter | Type | Description | Required | Default |
|---|---|---|---|---|
wfn | array | WFN format CPE identifiers (mutually exclusive with vendor/product/version) | No | - |
vendor | string | CPE vendor name | No | - |
product | string | CPE product name | No | - |
version | string | CPE version | No | - |
includeCVEs | boolean | Include associated CVEs in response | No | false |
onlyVulnerable | boolean | Only return CPEs with known vulnerabilities | No | false |
pagination | object | Pagination settings (from, size) | No | {"from":1, "size":20} |
Troubleshooting
| Issue | Resolution |
|---|---|
| Authentication failures | Verify your API key is correct and has not expired. Ensure that your domain URL is correctly formatted and includes the protocol (https://). |
| No results found | Check your search parameters. Try using fewer or more general keywords. Ensure date parameters are correctly formatted as Unix timestamps. |
| Connection errors | Verify that your network can reach the CVEs API endpoint. Check for firewalls or network restrictions that might be blocking access. |
| Invalid technology format | Ensure technologies are formatted as "name:version" pairs. If version is not specific, use "N/A" as the version. |
| CPE parameter conflicts | WFN parameter cannot be used together with vendor/product/version parameters. Choose one approach or the other. |
| Invalid WFN format | Ensure WFN strings have exactly 13 parts separated by colons. Example: cpe:2.3:a:vendor:product:version:*:*:*:*:*:*:*. If you don't want to specify a part, use *. |
| Unexpected CPE count results | Remember that when includeCVEs=true, the count reflects CPE-CVE associations, not unique CPEs. The same CPE may appear multiple times if associated with multiple CVEs. |
| Version filtering not working as expected | The system uses smart version matching. Ensure your version format matches the expected pattern, and remember that wildcard CPEs (version: "*") may match your specific version if it falls within their vulnerable ranges. |
| Rate limiting | The CVEs API may implement rate limiting. If you're hitting limits, consider implementing delays between operations or reducing the frequency of queries. |
| Slow response times | Large result sets may cause slow responses. Use pagination parameters to limit the number of results per request. |