Central Vulnerability Database

  • Release version: Zurich
  • Updated March 28, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Central Vulnerability Database

    The Central Vulnerability Database (CVDB) is a unified vulnerability data repository that consolidates and enriches vulnerability records from multiple security sources into a single authoritative view. It replaces previous models where data from integrations could overwrite each other, providing instead a configurable, priority-based enrichment framework. This ensures full visibility into which source is authoritative for each field, preserving source fidelity and data provenance.

    Show full answer Show less

    How CVDB Works

    • CVDB collects raw vulnerability data from various integration plugins via the CVDUtil API, storing source-specific data in dedicated tables.
    • It uses a two-tier priority system to resolve conflicts: source-level priority (e.g., NVD over scanners) and field-level priority (e.g., Mandiant for exploit status, NVD for CVSS scores).
    • Each field update is tracked with a history showing which source last modified it, enabling auditability and transparency.

    Supported Sources

    CVDB supports a wide range of authoritative vulnerability databases, enterprise scanners, and threat intelligence feeds, including but not limited to:

    • Authoritative databases: NVD, EUVD, JVN, CISA KEV, EPSS
    • Vulnerability scanners: Microsoft Defender Vulnerability Management, Palo Alto Prisma Cloud, Qualys, Wiz
    • Application security tools: Veracode, GitHub, Black Duck

    Additionally, Vulnerability Response, Container Security, and SBOM Response use the enriched CVDB data for remediation workflows.

    Key Features

    • Priority-based data enrichment: Automatically resolves conflicts with a configurable priority system to present the most trusted information.
    • Extensible integration framework: Supports numerous security sources out of the box, with the ability to add custom sources and priorities via the CVDUtil API.
    • Source-specific data preservation: Maintains raw data in source-specific tables while showing a consolidated, prioritized view in CVDB records.
    • Field update tracking: Maintains an audit trail for each field update to ensure transparency and support troubleshooting.
    • Non-CVE to CVE mapping: Supports ingestion of non-CVE identifiers by mapping them to CVE records, deactivating duplicates automatically.

    Practical Use and Access

    • View vulnerability sources and enrichment details via the Security Exposure Management workspace under Libraries > Vulnerabilities, where a Sources column displays all contributing sources for each CVE.
    • Manage source priorities and field-level overrides through the Source Configurations table, enabling customization of authoritative fields per source.
    • Use the CVDUtil API for standardized ingestion and updating of vulnerability data, which enforces priority rules and ensures consistent data enrichment across integrations.
    • Leverage the CVDB Overview workspace tab for a consolidated view of enriched CVDB records, including CVSS scores, EPSS data, exploit status, references, affected software, and CWE classifications.

    Benefits for ServiceNow Customers

    By adopting CVDB, ServiceNow customers gain a centralized, reliable vulnerability dataset that eliminates conflicting information from multiple sources while preserving complete data provenance. This enhances vulnerability management workflows, improves remediation accuracy, and supports better decision-making through transparent, prioritized vulnerability insights.

    The Central Vulnerability Database (CVDB) is a source-agnostic vulnerability data repository that consolidates and enriches vulnerability records from multiple security sources into a single, authoritative view. Use CVDB to eliminate conflicting data across your vulnerability integrations and gain full visibility into which source is authoritative for each field.

    Before CVDB, integrations would directly override fields on vulnerability records or create only placeholder entries. When a higher-quality source reported on the same Common Vulnerabilities and Exposures (CVEs), existing data could be silently overwritten. CVDB replaces this with a configurable, priority-based enrichment framework that preserves source fidelity while surfacing the most authoritative data for each field.

    How Central Vulnerability Database works

    CVDB acts as a centralized hub that integration plugins feed into via the CVDUtil API. Each integration source's raw data is preserved in dedicated source-specific tables. The consolidated CVDB record reflects the highest-priority value for each field, and a field update history tracks exactly which source last updated every field, providing full data provenance (a traceable record of where each field value came from).

    CVDB uses a two-tier priority system to resolve conflicts when multiple sources report on the same vulnerability:

    • Source-level priority: Determines default precedence across all fields. For example, NVD takes precedence over scanner sources by default.
    • Field-level priority: Overrides source-level defaults for specific fields. For example, Vulnerability Intelligence fields such as Mandiant or Recorded Future takes precedence for exploit status, while NVD remains authoritative for CVSS scores.

    Supported sources

    CVDB supports a broad ecosystem of upstream sources spanning authoritative vulnerability databases, enterprise scanners, and threat intelligence feeds:

    • Authoritative databases: NVD, EUVD, JVN, CISA KEV, EPSS
    • Vulnerability scanners: Microsoft Defender Vulnerability Management, Palo Alto Prisma Cloud, Qualys, Wiz
    • Application security tools: Veracode, GitHub, Black Duck

    Vulnerability Response, Container Security, and SBOM Response leverage enriched CVDB data for remediation workflows.

    CVDB includes a priority configuration for ingesting CVEs. The Vulnerabilities Entries table (sn_vul_nvd_entry_LIST) now supports non-CVE vulnerability databases. When CVEs become irrelevant, alternative sources such as EUVD and JVN can be used to populate the sn_vul_nvd_entry table.

    Viewing vulnerability sources

    To view the vulnerability sources:
    1. Navigate to Workspaces > Security Exposure Management.
    2. In the left navigation, select List.
    3. Under Lists, navigate to Libraries > Vulnerabilities.
    In the Libraries - Vulnerabilities List page, a new Sources column is added, which displays all the sources that have enriched a given CVE. Even if NVD produces a CVE without enrichment, other sources such as Microsoft Defender Vulnerability Management, Qualys, and Mandiant can be used to enrich the CVE record.

    Priority-based field configuration

    Fields are no longer overridden directly. The updated model uses priority-based configuration to define which source provides which field value. This configuration is managed through the Source Configurations [sn_sec_cvd_source_config_list.do] table.

    To access Source Configurations, enter sn_sec_cvd_source_config.LIST in the Filter Navigator. Multiple sources that provide CVE information are listed here, each assigned a priority. NVD holds the highest priority, followed by other registered sources.

    Source-specific attribute tables

    A separate table is maintained for each source, containing attributes specific to that source that enrich CVE records. Rather than writing enrichment data directly to the NVD table, source-specific tables are added as references in CVE records. These tables can be found in sys_db_object_list.do. Attributes from different sources can then be selected within the NVD Entries table [sn_vul_nvd_entry_list.do].

    CVDUtil API

    CVDUtil is the central API for ingesting vulnerability data into the NVD entries table. It applies priority-based processing to determine which source fields are written to the record.

    All NVD table ingestion must go through the CVDUtil API. This API enforces priority configurations and ensures that field-level rules are respected during record creation and updates.

    The primary method is createOrUpdateCVD. When called, it performs the following operations:

    • Checks the configured source priorities to determine which source may override specific fields.
    • Runs process enrich with payload to apply enrichment data according to priority rules.
    • Runs process source-specific fields to handle fields that belong exclusively to individual sources. The payload accepts a source field as a separate key.

    When a non-CVE vulnerability source maps to multiple CVEs, pass the related CVE identifiers through the cvdlist parameter. The API will link the CVD record to all specified CVEs. References and exploit records can also be ingested through this API.

    Construct the payload using CVDUtil first, then use it to insert the record. Vulnerability score values can come from different sources. You can configure which source to prioritize for score assignment, determining which score value takes precedence.

    Key capabilities

    Priority-based data enrichment
    A two-tier priority system (source-level and field-level) automatically resolves conflicts when multiple sources report on the same vulnerability, ensuring the most trusted data wins.
    Extensible integration framework
    Includes out-of-the-box support for authoritative databases, vulnerability scanners, and threat intelligence feeds. Additional integrations can be configured with custom source priority via the CVDUtil API.
    Source-specific data preservation
    Raw data from each source is stored in dedicated tables, preserving full fidelity while the consolidated CVD record presents the prioritized view.
    Field update tracking
    An audit trail records which source last updated each field on every CVD record. This enables transparency and troubleshooting of data provenance.
    Non-CVE to CVE mapping
    Automatically handles non-CVE identifiers by mapping them to CVE records when assignments become available. Duplicate entries are deactivated.
    CVDB Overview workspace tab
    A consolidated workspace view displays CVDB record details. This includes CVSS scores, EPSS data, exploit status, references, affected software, and CWE classifications.