CVE databases compared: NVD vs CISA KEV vs ENISA EUVD vs GitHub Advisories
The problem with using one source
Most security teams rely on a single vulnerability database. Usually NVD. It is the largest, the most established, and the one every scanner vendor pulls from.
But NVD alone has blind spots. It was months behind on enrichment in 2024. GitHub Advisories catches vulnerabilities in open-source packages that NVD misses entirely. CISA KEV tells you which CVEs are actually under attack. And ENISA EUVD brings the European perspective.
No single database gives you the full picture. Here is what each one does, and where it falls short.
NVD: the foundation
The National Vulnerability Database is operated by NIST (U.S. National Institute of Standards and Technology). It is the de facto global CVE registry.
What it covers:
- Every CVE identifier issued by a CNA (CVE Numbering Authority)
- CVSS scores (base, temporal, environmental)
- CPE entries (affected products and versions)
- References to advisories, patches, and exploits
Strengths:
- Most complete CVE catalog (280,000+ entries)
- Standardized CVSS scoring
- Machine-readable (JSON feeds, API)
- Every major scanner and tool integrates with NVD
Weaknesses:
- Enrichment delays: CVEs can sit for weeks without a CVSS score or CPE match
- No exploitation context: NVD does not tell you if a CVE is being exploited
- No EPSS data (that comes from FIRST.org separately)
- Volume: 35,000+ CVEs per year, most of which are irrelevant to any given organization
Best for: Baseline coverage. You need NVD as a foundation, but not as your only source.
CISA KEV: confirmed exploitation
The Known Exploited Vulnerabilities catalog is maintained by CISA. It lists CVEs that are confirmed to be actively exploited in the wild. Read the full KEV breakdown here.
What it covers:
- CVEs with confirmed active exploitation
- Due dates for remediation (originally for U.S. federal agencies via BOD 22-01)
- Vendor and product information
Strengths:
- Zero noise: Every entry is a real, confirmed threat
- Clear action: If it is on the list, patch it now
- Relevant for NIS2 compliance
- Updated multiple times per week
Weaknesses:
- Small catalog: ~1,200 CVEs (by design, only confirmed exploitation)
- Reactive: A CVE appears on KEV after exploitation is confirmed, not before
- U.S.-centric: Focused on threats to U.S. federal infrastructure
- No CVSS or EPSS data (you need NVD and FIRST.org for that)
Best for: Patch prioritization. If a CVE is on KEV and in your stack, stop everything and patch.
ENISA EUVD: the European perspective
The European Union Vulnerability Database is operated by ENISA (European Union Agency for Cybersecurity). Launched in 2024, it brings a European regulatory lens to vulnerability management.
What it covers:
- CVEs relevant to the EU market
- Advisories from European CERTs and vendors
- Mapping to EU regulations (NIS2, Cyber Resilience Act)
- Severity assessments aligned with European risk frameworks
Strengths:
- European regulatory context that NVD does not provide
- Advisories from national CERTs (BSI, ANSSI, CERT-EU)
- Growing relevance as NIS2 enforcement increases
- Supplements NVD with EU-specific advisory data
Weaknesses:
- Newer database, smaller catalog than NVD
- API and data feeds still maturing
- Overlap with NVD for most CVE base data
- Less adoption in non-European tooling
Best for: European organizations that need to demonstrate NIS2 compliance and want advisories from their national CERTs.
GitHub Security Advisories: open source focus
GitHub Advisory Database is maintained by GitHub and the open-source community. It covers vulnerabilities in packages distributed through npm, PyPI, RubyGems, Maven, NuGet, Go, Rust, and more.
What it covers:
- Vulnerabilities in open-source packages and libraries
- Mapping to package ecosystems (npm, pip, etc.)
- Severity ratings (aligned with CVSS)
- Links to patches, PRs, and Dependabot alerts
Strengths:
- Fastest source for open-source vulnerabilities (often reported before NVD)
- Package-level granularity (not just product-level like NVD CPE)
- Community-reviewed: maintainers and researchers can submit and validate
- Directly integrated into GitHub Dependabot and code scanning
Weaknesses:
- Only covers open-source software distributed via supported ecosystems
- No coverage of proprietary software, hardware, or firmware
- No exploitation context (does not track active attacks)
- GitHub-centric: if you do not use GitHub, integration is harder
Best for: Development teams that rely on open-source dependencies. Catches library vulnerabilities that NVD may not have CPE mappings for.
Side-by-side comparison
| NVD | CISA KEV | ENISA EUVD | GitHub Advisories | |
|---|---|---|---|---|
| Operator | NIST (U.S.) | CISA (U.S.) | ENISA (EU) | GitHub / Community |
| Scope | All CVEs | Exploited CVEs only | EU-relevant CVEs | Open-source packages |
| Size | 280,000+ | ~1,200 | Growing | 30,000+ |
| CVSS scores | Yes | No | Yes | Yes |
| Exploitation data | No | Yes (confirmed) | Partial | No |
| Update speed | Days to weeks | Same day | Days | Hours to days |
| API | Yes (free) | Yes (free) | Yes (free) | Yes (free) |
| Best for | Baseline coverage | Patch urgency | EU compliance | Open-source deps |
Why you need all four
Each database answers a different question:
- NVD: "Does this CVE exist and how severe is it?"
- CISA KEV: "Is this CVE being exploited right now?"
- ENISA EUVD: "What does the European advisory say about this CVE?"
- GitHub: "Is this vulnerability in one of my open-source dependencies?"
Using only NVD means you miss exploitation context. Using only KEV means you miss 99% of CVEs. Using only GitHub means you miss anything outside open-source packages.
How Nautilus combines them
Nautilus aggregates all four databases into a single feed. Every CVE is cross-referenced automatically:
- NVD provides the base CVE data and CVSS score
- CISA KEV flags are shown as badges on affected CVEs
- ENISA EUVD advisories are included where available
- GitHub Advisories catch open-source package vulnerabilities
Combined with EPSS scores and PoC detection, you get a unified view that no single database can provide alone.
Frequently Asked Questions
Which CVE database is the most reliable? NVD is the most complete in terms of coverage. CISA KEV is the most actionable for patch prioritization. No single database is "the most reliable". They serve different purposes and are most effective when used together.
Is there a cost to access these databases? All four databases are free and publicly accessible. NVD, CISA KEV, and ENISA EUVD provide public APIs. GitHub Advisory Database is accessible via the GitHub API and the web interface.
How quickly do new CVEs appear in each database? GitHub Advisories is often fastest for open-source vulnerabilities (hours). CISA KEV adds CVEs within a day of confirming exploitation. NVD can take days to weeks for full enrichment (CVSS scores, CPE entries).
Related: Learn why CVSS alone is not enough for prioritization, how CISA KEV helps you focus on exploited CVEs, or read the complete guide to vulnerability management.
Nautilus aggregates NVD, CISA KEV, ENISA EUVD, and GitHub Advisories into one dashboard. No tab-switching, no duplicates. Try it free.
Monitor vulnerabilities with EPSS, PoC detection, and KEV tracking.
All in one dashboard. Free to start.
Start for free