Request a free NVD API key at https://nvd.nist.gov/developers/request-an-api-key; include it in requests as the apiKey query parameter to access the higher rate limit of 50 requests per 30-second rolling window.
Perform an initial full sync by paging through all CVEs with GET https://services.nvd.nist.gov/rest/json/cves/2.0?startIndex=0&resultsPerPage=2000, incrementing startIndex by resultsPerPage each iteration until startIndex exceeds totalResults.
Sleep at least 6 seconds between requests (even with an API key) to stay within rate limits; implement exponential back-off on HTTP 403 or 503 responses.
For incremental updates, query with lastModStartDate and lastModEndDate parameters (ISO 8601 format) to retrieve only CVEs modified since your last sync; run this no more than once every two hours.
Parse each CVE item for cveId, descriptions, cvssMetricV31 (or cvssMetricV40 if present), weaknesses (CWE), and references to build or update your local vulnerability database.
Known gotchas
Without an API key the rate limit is 5 requests per 30-second window, which makes a full initial sync extremely slow; always register for a key before building production pipelines.
NVD experienced processing backlogs in 2024-2025 that delayed enrichment of CVE records; newly published CVEs may appear with minimal metadata — re-query recently added CVEs after 24-48 hours.
The resultsPerPage maximum is 2000; requesting more returns an HTTP 400 error, not a silent truncation.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp