Supported Products

Distributed wide-column store from the ASF. CVE history includes serious issues in optional features (e.g. UDF execution). Keyword uses the full phrase "Apache Cassandra" to limit noise.

High-throughput writes, time series at scale, multi-region clusters

Document database with replication. Includes critical historical RCEs (e.g. CVE-2022-24706, KEV). Tracked as apache:couchdb.

Offline-first apps, sync-heavy workloads

Apache's embedded Java relational database (JDBC). NVD tracks it as apache:derby with a modest but usable CVE history for server-side SQL and network exposure scenarios.

Embedded databases, Java tooling, test fixtures

Distributed document database with search and analytics. Tracked as couchbase:couchbase_server in NVD with substantive CVE ranges.

Mobile sync backends, session stores, personalization

Elastic's search and analytics engine. Standard semver in NVD under elastic:elasticsearch.

Search, log aggregation, observability stacks

Community fork of MySQL. Single NVD namespace mariadb:mariadb with strong CVE coverage and semver-style versions.

MySQL-compatible deployments, managed databases

Enterprise RDBMS from Microsoft. NVD commonly uses dotted build numbers (e.g. 15.0.x) rather than marketing years.

Enterprise apps, .NET stacks, Azure SQL siblings

Document-oriented database. MongoDB is a CNA; NVD entries often include explicit CPE ranges.

Application data, analytics, AI/ML pipelines

Oracle's open-source RDBMS. NVD merges pre- and post-acquisition vendor namespaces (mysql:mysql and oracle:mysql) for complete historical coverage.

LAMP/LEMP stacks, SaaS backends, managed MySQL

Oracle's flagship RDBMS. NVD uses numeric release trains (e.g. 19.x, 21.x), not marketing labels like 19c.

ERP, finance, large packaged applications

The PostgreSQL open-source relational database. Coverage includes server-side vulnerabilities and privilege bypass issues in the query engine.

Application databases, analytics workloads

In-memory data structure store. CVE records are merged across two NVD vendor namespaces reflecting the 2021 vendor name change from redislabs to redis.

Caching layers, session stores, message queues

Embedded SQL engine. CVE history is thinner than client-server databases but includes real memory-safety issues; tracked as sqlite:sqlite.

Mobile apps, browsers, embedded devices, desktop software

The Apache HTTP Server Project's web server, tracked as apache:http_server in NVD. Coverage includes module-specific vulnerabilities such as mod_proxy and mod_cgi.

Web servers, shared hosting infrastructure

Go-based HTTP server with automatic HTTPS. Tracked as caddyserver:caddy in NVD. Newer project; added after passing eligibility checks.

Developer environments, reverse proxies, AI deployment endpoints

High-availability load balancer and TCP/HTTP proxy. HAProxy is its own CNA and self-publishes CVEs, producing high-quality NVD records. CVE history concentrates in HTTP header parsing and request smuggling.

Load balancers, API gateways, high-availability frontends

HTTP server and reverse proxy. CVE coverage spans pre- and post-F5 acquisition records, merged across two NVD vendor namespaces.

Web servers, load balancers, API gateways

Caching proxy for HTTP, HTTPS, and FTP. Tracked as squid-cache:squid in NVD with an extensive CVE history in HTTP request parsing and authentication handling.

Forward proxies, content caching, network security layers

Cloud-native reverse proxy and ingress controller for Kubernetes and container environments. Tracked as traefik:traefik in NVD.

Kubernetes ingress, microservice routing, AI model serving endpoints

HTTP accelerator for content-heavy dynamic websites. NVD uses two CPE namespaces (varnish-cache:varnish and varnish_cache_project:varnish_cache); both are queried and merged.

CDN edge caching, high-traffic web frontends

Apache's JMS message broker. Single namespace apache:activemq in NVD. CVE-2023-46604 (CVSS 10.0, CISA KEV) is an actively exploited RCE via OpenWire protocol deserialization.

Enterprise messaging, event-driven architectures, Spring ecosystems

Distributed event streaming platform maintained by the Apache Software Foundation (CNA). CVE history includes SASL JAAS injection and authorization bypass vulnerabilities.

Data pipelines, AI/ML streaming, event sourcing

Cloud-native messaging and streaming platform from the ASF. CVE history includes authentication bypass in the WebSocket Proxy and broker authorization issues.

AI data pipelines, multi-tenant streaming, Kafka alternatives

Eclipse Foundation MQTT broker, the dominant open-source implementation. Tracked as eclipse:mosquitto in NVD.

IoT infrastructure, edge AI deployments, MQTT messaging

AMQP message broker developed by Pivotal Software, acquired by VMware in 2019. NVD maintains records under both pivotal_software:rabbitmq and vmware:rabbitmq; both are queried and merged.

Task queuing, event-driven architectures, microservice messaging

High-performance asynchronous messaging library (libzmq). Tracked as zeromq:libzmq in NVD. A direct dependency of Jupyter kernels, relevant to AI and data science environments.

Jupyter kernels, AI tooling, distributed messaging

GitOps continuous delivery for Kubernetes. Tracked as argoproj:argo_cd in NVD with strong semver-style CPE ranges.

Kubernetes GitOps, progressive delivery, platform engineering

CNCF container runtime used as the default runtime in Kubernetes. NVD tracks it as linuxfoundation:containerd (no active docker:containerd CPE dictionary entries as of 2026-04-25).

Kubernetes nodes, container hosts, Docker Engine stack

Docker's container engine, tracked as docker:docker in NVD. Low-level container escape CVEs are tracked separately under runc (linuxfoundation:runc).

Developer workstations, CI/CD agents, container hosts

Kubernetes package manager. Tracked as helm:helm in NVD with substantive chart and CLI CVE history.

Kubernetes packaging, CI/CD, platform engineering

Kubernetes control plane API. Shares kubernetes:kubernetes CPE with other components; keyword kube-apiserver scopes NVD results.

Kubernetes control plane, managed Kubernetes (EKS, GKE, AKS)

Kubernetes node agent. Shares kubernetes:kubernetes CPE with kube-apiserver; keyword kubelet scopes NVD results.

Kubernetes worker nodes, node pools

OCI reference container runtime. NVD uses linuxfoundation:runc (not opencontainers:runc). Used by Docker Engine and containerd for container execution.

Container hosts, Kubernetes nodes, low-level runtime

The Apache Software Foundation servlet container for Java web applications. Tracked as apache:tomcat in NVD.

Java application servers, Spring Boot embedded servers, PaaS runtimes

Java HTTP server and servlet container maintained by the Eclipse Foundation. Historical CVEs use the legacy mortbay:jetty namespace; current CVEs use eclipse:jetty. Both are queried and merged on CVE ID.

Java application servers, embedded in Solr and Eclipse IDE

Java logging library from the Apache Software Foundation. Covers both the 1.x and 2.x release families, each tracked under separate NVD CPE namespaces.

JVM applications, enterprise middleware, Elasticsearch

Microsoft's on-premises mail server. Version strings using CU notation (Exchange 2019 CU14) are normalized before range comparison.

Enterprise email infrastructure, hybrid Office 365 deployments

OpenBSD's SSH implementation. The portable suffix on version strings (9.2p1, 9.3p2) is stripped before comparison against NVD version ranges.

Remote administration, server fleets, network devices

VMware's bare-metal hypervisor, tracked as an OS-class CPE (cpe:2.3:o). Version strings using Update notation (7.0 U3) are normalized before comparison.

Virtualization hosts, private cloud infrastructure