Supported Products

Distributed wide-column store from the ASF. CVE history includes serious issues in optional features (e.g. UDF execution). Keyword uses the full phrase "Apache Cassandra" to limit noise.

High-throughput writes, time series at scale, multi-region clusters

Document database with replication. Includes critical historical RCEs (e.g. CVE-2022-24706, KEV). Tracked as apache:couchdb.

Offline-first apps, sync-heavy workloads

Apache's embedded Java relational database (JDBC). NVD tracks it as apache:derby with a modest but usable CVE history for server-side SQL and network exposure scenarios.

Embedded databases, Java tooling, test fixtures

Distributed document database with search and analytics. Tracked as couchbase:couchbase_server in NVD with substantive CVE ranges.

Mobile sync backends, session stores, personalization

Elastic's search and analytics engine. Standard semver in NVD under elastic:elasticsearch.

Search, log aggregation, observability stacks

Community fork of MySQL. Single NVD namespace mariadb:mariadb with strong CVE coverage and semver-style versions.

MySQL-compatible deployments, managed databases

Enterprise RDBMS from Microsoft. NVD commonly uses dotted build numbers (e.g. 15.0.x) rather than marketing years.

Enterprise apps, .NET stacks, Azure SQL siblings

Document-oriented database. MongoDB is a CNA; NVD entries often include explicit CPE ranges.

Application data, analytics, AI/ML pipelines

Oracle's open-source RDBMS. NVD merges pre- and post-acquisition vendor namespaces (mysql:mysql and oracle:mysql) for complete historical coverage.

LAMP/LEMP stacks, SaaS backends, managed MySQL

Oracle's flagship RDBMS. NVD uses numeric release trains (e.g. 19.x, 21.x), not marketing labels like 19c.

ERP, finance, large packaged applications

The PostgreSQL open-source relational database. Coverage includes server-side vulnerabilities and privilege bypass issues in the query engine.

Application databases, analytics workloads

In-memory data structure store. CVE records are merged across two NVD vendor namespaces reflecting the 2021 vendor name change from redislabs to redis.

Caching layers, session stores, message queues

Embedded SQL engine. CVE history is thinner than client-server databases but includes real memory-safety issues; tracked as sqlite:sqlite.

Mobile apps, browsers, embedded devices, desktop software

The Apache HTTP Server Project's web server, tracked as apache:http_server in NVD. Coverage includes module-specific vulnerabilities such as mod_proxy and mod_cgi.

Web servers, shared hosting infrastructure

Go-based HTTP server with automatic HTTPS. Tracked as caddyserver:caddy in NVD. Newer project; added after passing eligibility checks.

Developer environments, reverse proxies, AI deployment endpoints

High-availability load balancer and TCP/HTTP proxy. HAProxy is its own CNA and self-publishes CVEs, producing high-quality NVD records. CVE history concentrates in HTTP header parsing and request smuggling.

Load balancers, API gateways, high-availability frontends

HTTP server and reverse proxy. CVE coverage spans pre- and post-F5 acquisition records, merged across two NVD vendor namespaces.

Web servers, load balancers, API gateways

Caching proxy for HTTP, HTTPS, and FTP. Tracked as squid-cache:squid in NVD with an extensive CVE history in HTTP request parsing and authentication handling.

Forward proxies, content caching, network security layers

Cloud-native reverse proxy and ingress controller for Kubernetes and container environments. Tracked as traefik:traefik in NVD.

Kubernetes ingress, microservice routing, AI model serving endpoints

HTTP accelerator for content-heavy dynamic websites. NVD uses two CPE namespaces (varnish-cache:varnish and varnish_cache_project:varnish_cache); both are queried and merged.

CDN edge caching, high-traffic web frontends

Apache's JMS message broker. Single namespace apache:activemq in NVD. CVE-2023-46604 (CVSS 10.0, CISA KEV) is an actively exploited RCE via OpenWire protocol deserialization.

Enterprise messaging, event-driven architectures, Spring ecosystems

Distributed event streaming platform maintained by the Apache Software Foundation (CNA). CVE history includes SASL JAAS injection and authorization bypass vulnerabilities.

Data pipelines, AI/ML streaming, event sourcing

Cloud-native messaging and streaming platform from the ASF. CVE history includes authentication bypass in the WebSocket Proxy and broker authorization issues.

AI data pipelines, multi-tenant streaming, Kafka alternatives

Eclipse Foundation MQTT broker, the dominant open-source implementation. Tracked as eclipse:mosquitto in NVD.

IoT infrastructure, edge AI deployments, MQTT messaging

AMQP message broker developed by Pivotal Software, acquired by VMware in 2019. NVD maintains records under both pivotal_software:rabbitmq and vmware:rabbitmq; both are queried and merged.

Task queuing, event-driven architectures, microservice messaging

High-performance asynchronous messaging library (libzmq). Tracked as zeromq:libzmq in NVD. A direct dependency of Jupyter kernels, relevant to AI and data science environments.

Jupyter kernels, AI tooling, distributed messaging

GitOps continuous delivery for Kubernetes. Tracked as argoproj:argo_cd in NVD with strong semver-style CPE ranges.

Kubernetes GitOps, progressive delivery, platform engineering

CNCF container runtime used as the default runtime in Kubernetes. NVD tracks it as linuxfoundation:containerd (no active docker:containerd CPE dictionary entries as of 2026-04-25).

Kubernetes nodes, container hosts, Docker Engine stack

Docker's container engine, tracked as docker:docker in NVD. Low-level container escape CVEs are tracked separately under runc (linuxfoundation:runc).

Developer workstations, CI/CD agents, container hosts

Kubernetes package manager. Tracked as helm:helm in NVD with substantive chart and CLI CVE history.

Kubernetes packaging, CI/CD, platform engineering

Kubernetes control plane API. Shares kubernetes:kubernetes CPE with other components; keyword kube-apiserver scopes NVD results.

Kubernetes control plane, managed Kubernetes (EKS, GKE, AKS)

Kubernetes node agent. Shares kubernetes:kubernetes CPE with kube-apiserver; keyword kubelet scopes NVD results.

Kubernetes worker nodes, node pools

OCI reference container runtime. NVD uses linuxfoundation:runc (not opencontainers:runc). Used by Docker Engine and containerd for container execution.

Container hosts, Kubernetes nodes, low-level runtime

Cloud-native L4/L7 proxy used as the data plane in Istio, AWS App Mesh, and many ingress controllers. Tracked as envoyproxy:envoy in NVD with deep HTTP/2 and gRPC CVE history. Istio bundles Envoy but Istio-specific CVEs are tracked separately.

Service mesh data plane, ingress gateways, API gateways, AI inference frontends

Platform-independent service mesh for traffic management, policy, and telemetry on Kubernetes. Tracked as istio:istio in NVD. Some CVEs mention Envoy in advisory text; keyword Istio scopes ingestion to the control plane product.

Kubernetes service mesh, mTLS, ingress gateways, multi-cluster platforms

eBPF-based networking, observability, and security for Kubernetes (CNCF). Tracked as cilium:cilium in NVD with policy enforcement and dataplane CVE history.

Kubernetes CNI, cluster networking, network policy, zero-trust segmentation

Cloud-native networking and network policy CNI (Tigera/Project Calico). Tracked as projectcalico:calico in NVD. Common alternative to Cilium on Kubernetes clusters.

Kubernetes CNI, network policy, BGP peering, on-prem and cloud clusters

Service mesh, service discovery, and health checking from HashiCorp. Tracked as hashicorp:consul in NVD with Connect sidecar and ACL CVE history. Pairs with HashiCorp Vault coverage.

Service discovery, Connect mesh, multi-cloud service catalog, Vault-adjacent stacks

Metrics, logs, and traces visualization platform. Tracked as grafana:grafana in NVD with deep CVE history spanning authentication bypass, SSRF, path traversal, and plugin vulnerabilities.

Dashboards, SRE tooling, full-stack observability, incident response

Elastic stack visualization layer for Elasticsearch data. Tracked as elastic:kibana in NVD with path traversal, SSRF, and stored XSS CVE history. Pairs with Elasticsearch and Logstash coverage.

Elastic stack dashboards, log analytics, security operations centers

Elastic stack log ingestion and routing pipeline. Tracked as elastic:logstash in NVD. Often deployed with broad network access and credentials to multiple data sources.

Log pipelines, Elastic stack ingestion, SIEM data routing

Enterprise monitoring platform with deep NVD CVE history. CVE-2022-23134 (CVSS 9.8, CISA KEV) is an authentication bypass in the setup wizard. Zabbix agents run on every monitored host.

Enterprise monitoring, agent-based infrastructure, government and regulated environments

Log collection and forwarding daemon, widely used as the default log aggregator in Kubernetes. Tracked as fluentd:fluentd in NVD with HTTP parsing and plugin CVE history.

Kubernetes log aggregation, CNCF observability stacks, multi-source log routing

Oracle's centralized infrastructure and database monitoring platform. Tracked as oracle:enterprise_manager_grid_control in NVD with CVE history spanning authenticated remote code execution and privilege escalation in management console components.

Oracle database fleet management, enterprise infrastructure monitoring, Oracle application lifecycle

Java SOAP and JAX-WS web services framework from the Apache Software Foundation, tracked as apache:axis in NVD. The 1.x line is end-of-life with no patch for CVE-2023-40743 (CVSS 9.8), which enables unauthenticated remote class loading via the lookup endpoint.

Legacy SOAP integrations, enterprise Java middleware, JAX-WS web service deployments

The Apache Software Foundation servlet container for Java web applications. Tracked as apache:tomcat in NVD.

Java application servers, Spring Boot embedded servers, PaaS runtimes

Java HTTP server and servlet container maintained by the Eclipse Foundation. Historical CVEs use the legacy mortbay:jetty namespace; current CVEs use eclipse:jetty. Both are queried and merged on CVE ID.

Java application servers, embedded in Solr and Eclipse IDE

Java logging library from the Apache Software Foundation. Covers both the 1.x and 2.x release families, each tracked under separate NVD CPE namespaces.

JVM applications, enterprise middleware, Elasticsearch

Microsoft's on-premises mail server. Version strings using CU notation (Exchange 2019 CU14) are normalized before range comparison.

Enterprise email infrastructure, hybrid Office 365 deployments

OpenBSD's SSH implementation. The portable suffix on version strings (9.2p1, 9.3p2) is stripped before comparison against NVD version ranges.

Remote administration, server fleets, network devices

VMware's bare-metal hypervisor, tracked as an OS-class CPE (cpe:2.3:o). Version strings using Update notation (7.0 U3) are normalized before comparison.

Virtualization hosts, private cloud infrastructure

Secrets management and encryption as a service. NVD tracks it as hashicorp:vault with substantive semver-style CPE ranges.

Credential storage, PKI, Kubernetes sidecars, zero-trust service identity

The Internet Systems Consortium authoritative and recursive DNS server. Tracked as isc:bind in NVD with one of the largest CVE histories in the coverage set, concentrated in denial-of-service, cache poisoning, and response processing vulnerabilities.

Authoritative DNS servers, recursive resolvers, corporate DNS infrastructure

GNU TLS/SSL library implementing SSL 3.0, TLS 1.0-1.3, and DTLS for the GNU/Linux ecosystem. Tracked as gnu:gnutls in NVD with CVE history focused on memory corruption in handshake processing and timing side-channel issues in key exchange.

TLS-enabled applications, Linux distributions, embedded systems, certificate validation

Automated CI/CD server (Jenkins Project CNA). Canonical NVD namespace is jenkins:jenkins. CVE-2024-23897 (CVSS 9.8, CISA KEV) is a CLI parser arbitrary file read chain.

Self-hosted build farms, plugin ecosystems, release automation

DevOps platform with Git, CI/CD, and registry in one application. Core product CVEs use gitlab:gitlab in NVD (Community and Enterprise). CVE-2023-7028 (CVSS 10.0, CISA KEV) is an account takeover via email verification bypass.

Git hosting, pipelines, container registry, compliance scanning

Lightweight self-hosted Git service. Tracked as gitea:gitea in NVD with solid historical CVE coverage for auth and repository edge cases.

Self-hosted Git mirrors, small teams, air-gapped development

Kubernetes-native CI/CD execution (CNCF). NVD uses linuxfoundation:tekton_pipelines. CVE volume is smaller than Jenkins or GitLab but passes eligibility after live test_nvd.py.

Cloud-native builds, CRD-based pipelines, GitOps supply chains

Secure TypeScript/JavaScript runtime with V8. NVD tracks deno:deno with substantive semver-style ranges and modern HTTP-related CVE coverage.

Edge workers, tooling CLIs, serverless backends, developer environments

Meta's JavaScript engine used by React Native. Tracked as facebook:hermes in NVD with a focused bytecode and runtime CVE history.

React Native bundles, Hermes bytecode pipelines, embedded JS execution

The Node.js runtime (V8 + libuv). Canonical NVD CPE is nodejs:node.js with large historical CVE volume and semver-style ranges.

API servers, build tooling, NPM ecosystem, AI agent backends

Node.js sandbox for untrusted code. CVE-2022-36067 (CVSS 10.0) and CVE-2023-32314 (CVSS 9.8) are critical sandbox escapes. Tracked as vm2_project:vm2.

User plugins, SaaS sandboxing, eval-like workflows, CVE news cycle

Red Hat's open-source IAM platform providing SSO, OAuth2/OIDC, and user federation. Tracked as redhat:keycloak in NVD with a strong CVE history including auth bypass and redirect-URI traversal chains.

Enterprise SSO, Kubernetes service accounts, OAuth2 broker, developer portals

Widely deployed open-source LDAP implementation backing enterprise directory services. NVD namespace is openldap:openldap with a focused history of memory corruption and denial-of-service issues.

AD replacement, user directory, auth backends, enterprise identity

Red Hat's integrated identity management combining LDAP, Kerberos, DNS, and certificate management in one solution. Tracked as freeipa:freeipa in NVD.

Enterprise Linux identity, RHEL/CentOS environments, Kerberos SSO

Pluggable Authentication Modules for Linux — the authentication layer for login, sudo, and SSH on virtually every Linux system. Tracked as linux-pam:linux-pam in NVD.

Login daemons, sudo, PAM-aware services, authentication policy enforcement

The open-source implementation of Windows file sharing and Active Directory services. CVE-2017-7494 (EternalRed, CVSS 9.8, CISA KEV) and CVE-2021-44142 (heap OOB, CVSS 9.9) are canonical references. Deep NVD history.

Windows interop, AD replacement, file servers, SMB infrastructure

MIT's reference implementation of the Kerberos 5 authentication protocol. The foundational library for Kerberos-based SSO across Linux, macOS, and enterprise environments. Tracked as mit:kerberos_5 in NVD.

Enterprise SSO, GSSAPI, Kerberos realm infrastructure, FreeIPA backends

The CPython interpreter. NVD publishes under both python:python and python:cpython — ingestion uses the canonical python:python namespace. Deep CVE history across the 3.x line and the EOL 2.x tail.

AI/ML pipelines, API servers, scripting, data engineering, agent backends

The MRI (CRuby) interpreter. Tracked as ruby-lang:ruby in NVD with a solid CVE history in HTTP client handling, URI parsing (ReDoS), and string processing.

Rails applications, gem tooling, DevOps scripting, web backends

The PHP interpreter. One of the deepest CVE histories of any product in the coverage set. CVE-2024-4577 (CVSS 9.8, CISA KEV) — CGI argument injection on Windows — is a canonical exploited-in-the-wild reference.

Web backends, WordPress/Laravel/Symfony applications, shared hosting

The Go compiler and standard library. CVE history formalised since 2022 via the Go security team. CVE-2023-39325 (HTTP/2 rapid reset) is a high-profile reference. Eligibility confirmed via test_nvd.py before shipping.

Cloud-native services, CLI tooling, Kubernetes controllers, agent backends

OpenJDK tracked under oracle:openjdk in NVD. The Oracle namespace covers both Oracle JDK and OpenJDK core CVEs. Sentinel rate is monitored for Oracle-JDK-specific bleed-through.

JVM workloads, Spring Boot services, enterprise Java, Android toolchains

The Rust compiler and standard library. Tracked as rust-lang:rust in NVD. CVE history is smaller than other runtimes but growing as the language matures into safety-critical infrastructure.

Systems programming, Wasm runtimes, CLI tools, security-critical infrastructure

The Perl 5 interpreter. One of the deepest legacy CVE histories of any runtime in the coverage set. Widely deployed in ops tooling, sysadmin scripts, and enterprise backends. Tracked as perl:perl in NVD.

Legacy web backends, ops scripting, bioinformatics, sysadmin tooling

The Erlang/OTP runtime. CVE-2025-32433 (unauthenticated RCE via SSH, CVSS 10.0) is a high-profile 2025 addition. Natural pairing with RabbitMQ coverage. Tracked as erlang:erlang/otp in NVD.

RabbitMQ clusters, distributed systems, telecom infrastructure, Phoenix/Elixir backends

AI gateway and LLM proxy (BerriAI). NVD uses the litellm:litellm namespace. CVE-2026-42271 (command injection via MCP stdio transport, CVSS 8.8, CISA KEV) is the canonical high-severity reference.

AI gateway deployments, LLM proxy infrastructure, MCP server backends