Deprecation of Legacy CVE Download Formats Now Underway

CVE Program Blog
2 min readJan 4, 2024

The phased deprecation of legacy CVE content download formats (i.e., CSV, HTML, XML, and CVRF) scheduled for the first half of 2024 has begun. Phased deprecation means that the frequency of updates to the legacy download formats will be reduced over the coming months until they are no longer updated at the end of June 2024.

These legacy download formats have been replaced by CVE JSON as the only supported format for CVE Records and downloads (see below).

This change was first announced in July 2023 in a CVE Blog article entitled “Legacy CVE Download Formats Will Be Phased Out Beginning January 1, 2024” on Medium and the CVE.ORG website and promoted throughout the remainder of 2023 in the CVE Announce email newsletter and on CVE social media.

Phase-Out Schedule

To assist consumers with their transition to the new format, the frequency of updates to the legacy download formats are being reduced from daily updates (which ended on December 31, 2023) to updates on the following schedule:

January 2024: Once per week updates.
February 2024: Every other week updates.
March–June 2024: Once per month updates.
June 30, 2024: Legacy downloads formats no longer updated with new CVE Records.

New Format for CVE Records and Downloads

CVE Downloads in the new official data format for CVE Records, CVE JSON, are hosted in the cvelistV5 repository on Update frequency and other details are available in the repository ReadMe.

CVE JSON is a richer, more structured format for vulnerability identification and description and will provide enhanced information for your customers. The schema for this new format is also available on GitHub.

Who Is Affected?

CVE Numbering Authority (CNA) partners, tool vendors, and other parties that use CVE download files for automation or other purposes should pay particular attention to this change.

Take Action Now!

Product teams and others need to update their tools and processes to the new supported format prior to these legacy format download files no longer being updated after June 30, 2024.

If you have any comments or concerns, please use the CVE Program Request forms and select “Other” from the dropdown menu.



CVE Program Blog

The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.