Central Vulnerability Database

  • Release version: Yokohama
  • Updated March 28, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Central Vulnerability Database

    The Central Vulnerability Database (CVDB) is a unified vulnerability data repository that consolidates and enriches records from multiple security sources into a single authoritative view. It eliminates conflicting data across integrations by using a configurable, priority-based enrichment framework that preserves source fidelity while highlighting the most authoritative information for each vulnerability field. This approach replaces previous direct field overrides and silent data overwrites when higher-quality sources reported on the same vulnerabilities.

    Show full answer Show less

    How CVDB Works

    CVDB serves as a centralized hub where integration plugins feed vulnerability data through the CVDUtil API. Raw data from each source is preserved in dedicated source-specific tables, while the consolidated CVDB record reflects the highest-priority value per field. A field update history tracks which source last updated every field, ensuring full data provenance.

    • Two-tier priority system:
      • Source-level priority: Sets default precedence across all fields (e.g., NVD generally takes precedence over scanner sources).
      • Field-level priority: Overrides source-level defaults for specific fields (e.g., Mandiant or Recorded Future override for exploit status, while NVD remains authoritative for CVSS scores).

    Supported Sources

    CVDB supports a broad ecosystem including:

    • Authoritative vulnerability databases: NVD, EUVD, JVN, CISA KEV, EPSS
    • Vulnerability scanners: Microsoft Defender Vulnerability Management, Palo Alto Prisma Cloud, Qualys, Wiz
    • Application security tools: Veracode, GitHub, Black Duck

    Vulnerability Response, Container Security, and SBOM Response leverage CVDB-enriched data to enhance remediation workflows. CVDB also supports non-CVE vulnerability databases, allowing use of alternative sources when CVEs become irrelevant.

    Viewing and Managing Vulnerability Sources

    Within ServiceNow Security Exposure Management, users can view vulnerability sources enriching each CVE record. A new Sources column lists all contributing sources, providing transparency into data provenance.

    Source priority and field-level overrides are configured via the Source Configurations table, allowing customers to control which source provides authoritative data per field.

    Data Architecture and API

    • Source-specific attribute tables: Separate tables store raw attributes per source, preserving original data and enriching CVE records without direct overwrites.
    • CVDUtil API: The central API to ingest and update vulnerability data, enforcing priority rules and ensuring accurate field-level updates. It supports linking non-CVE identifiers to multiple CVEs and ingestion of references and exploit records.

    Key Capabilities

    • Priority-based data enrichment: Automatic conflict resolution ensures the most trusted data is surfaced.
    • Extensible integration framework: Supports numerous out-of-the-box sources with the ability to configure additional integrations and source priorities.
    • Source-specific data preservation: Maintains raw data fidelity while presenting a consolidated, prioritized view.
    • Field update tracking: Full audit trail for transparency and troubleshooting.
    • Non-CVE to CVE mapping: Handles alternative vulnerability identifiers, keeping records accurate and up to date.
    • Consolidated workspace view: Provides a comprehensive display of CVDB data including CVSS scores, EPSS, exploit status, references, affected software, and CWE classifications.

    The Central Vulnerability Database (CVDB) is a source-agnostic vulnerability data repository that consolidates and enriches vulnerability records from multiple security sources into a single, authoritative view. Use CVDB to eliminate conflicting data across your vulnerability integrations and gain full visibility into which source is authoritative for each field.

    Before CVDB, integrations would directly override fields on vulnerability records or create only placeholder entries. When a higher-quality source reported on the same Common Vulnerabilities and Exposures (CVEs), existing data could be silently overwritten. CVDB replaces this with a configurable, priority-based enrichment framework that preserves source fidelity while surfacing the most authoritative data for each field.

    How Central Vulnerability Database works

    CVDB acts as a centralized hub that integration plugins feed into via the CVDUtil API. Each integration source's raw data is preserved in dedicated source-specific tables. The consolidated CVDB record reflects the highest-priority value for each field, and a field update history tracks exactly which source last updated every field, providing full data provenance (a traceable record of where each field value came from).

    CVDB uses a two-tier priority system to resolve conflicts when multiple sources report on the same vulnerability:

    • Source-level priority: Determines default precedence across all fields. For example, NVD takes precedence over scanner sources by default.
    • Field-level priority: Overrides source-level defaults for specific fields. For example, Vulnerability Intelligence fields such as Mandiant or Recorded Future takes precedence for exploit status, while NVD remains authoritative for CVSS scores.

    Supported sources

    CVDB supports a broad ecosystem of upstream sources spanning authoritative vulnerability databases, enterprise scanners, and threat intelligence feeds:

    • Authoritative databases: NVD, EUVD, JVN, CISA KEV, EPSS
    • Vulnerability scanners: Microsoft Defender Vulnerability Management, Palo Alto Prisma Cloud, Qualys, Wiz
    • Application security tools: Veracode, GitHub, Black Duck

    Vulnerability Response, Container Security, and SBOM Response leverage enriched CVDB data for remediation workflows.

    CVDB includes a priority configuration for ingesting CVEs. The Vulnerabilities Entries table (sn_vul_nvd_entry_LIST) now supports non-CVE vulnerability databases. When CVEs become irrelevant, alternative sources such as EUVD and JVN can be used to populate the sn_vul_nvd_entry table.

    Viewing vulnerability sources

    To view the vulnerability sources:
    1. Navigate to Workspaces > Security Exposure Management.
    2. In the left navigation, select List.
    3. Under Lists, navigate to Libraries > Vulnerabilities.
    In the Libraries - Vulnerabilities List page, a new Sources column is added, which displays all the sources that have enriched a given CVE. Even if NVD produces a CVE without enrichment, other sources such as Microsoft Defender Vulnerability Management, Qualys, and Mandiant can be used to enrich the CVE record.

    Priority-based field configuration

    Fields are no longer overridden directly. The updated model uses priority-based configuration to define which source provides which field value. This configuration is managed through the Source Configurations [sn_sec_cvd_source_config_list.do] table.

    To access Source Configurations, enter sn_sec_cvd_source_config.LIST in the Filter Navigator. Multiple sources that provide CVE information are listed here, each assigned a priority. NVD holds the highest priority, followed by other registered sources.

    Source-specific attribute tables

    A separate table is maintained for each source, containing attributes specific to that source that enrich CVE records. Rather than writing enrichment data directly to the NVD table, source-specific tables are added as references in CVE records. These tables can be found in sys_db_object_list.do. Attributes from different sources can then be selected within the NVD Entries table [sn_vul_nvd_entry_list.do].

    CVDUtil API

    CVDUtil is the central API for ingesting vulnerability data into the NVD entries table. It applies priority-based processing to determine which source fields are written to the record.

    All NVD table ingestion must go through the CVDUtil API. This API enforces priority configurations and ensures that field-level rules are respected during record creation and updates.

    The primary method is createOrUpdateCVD. When called, it performs the following operations:

    • Checks the configured source priorities to determine which source may override specific fields.
    • Runs process enrich with payload to apply enrichment data according to priority rules.
    • Runs process source-specific fields to handle fields that belong exclusively to individual sources. The payload accepts a source field as a separate key.

    When a non-CVE vulnerability source maps to multiple CVEs, pass the related CVE identifiers through the cvdlist parameter. The API will link the CVD record to all specified CVEs. References and exploit records can also be ingested through this API.

    Construct the payload using CVDUtil first, then use it to insert the record. Vulnerability score values can come from different sources. You can configure which source to prioritize for score assignment, determining which score value takes precedence.

    Key capabilities

    Priority-based data enrichment
    A two-tier priority system (source-level and field-level) automatically resolves conflicts when multiple sources report on the same vulnerability, ensuring the most trusted data wins.
    Extensible integration framework
    Includes out-of-the-box support for authoritative databases, vulnerability scanners, and threat intelligence feeds. Additional integrations can be configured with custom source priority via the CVDUtil API.
    Source-specific data preservation
    Raw data from each source is stored in dedicated tables, preserving full fidelity while the consolidated CVD record presents the prioritized view.
    Field update tracking
    An audit trail records which source last updated each field on every CVD record. This enables transparency and troubleshooting of data provenance.
    Non-CVE to CVE mapping
    Automatically handles non-CVE identifiers by mapping them to CVE records when assignments become available. Duplicate entries are deactivated.
    CVDB Overview workspace tab
    A consolidated workspace view displays CVDB record details. This includes CVSS scores, EPSS data, exploit status, references, affected software, and CWE classifications.