Legacy CVE Download Formats Will Be Phased Out Beginning January 1, 2024

CVE Program Blog
2 min readJul 20


A major change is coming in how CVE content is provided that will affect products that consume CVE content.

CNA partners, tool vendors, and other parties that use CVE download files for automation or other purposes should pay particular attention to this upcoming change.

Legacy CVE Content Formats Your Products Are Using to Be Phased Out

The CVE Program has a new official format for CVE Records and downloads (see section below).

As a result, the legacy CVE content download formats currently provided by the CVE Program (i.e., CSV, HTML, XML, and CVRF) will be phased out in the first half of 2024.

To assist consumers with their transition to the new format, the frequency of updates to the legacy download formats will be reduced on the following schedule:

December 31, 2023: Current daily update schedule ends. 
 January 2024: Once per week updates.
 February 2024: Every other week updates.
 March–June 2024: Once per month updates.
 June 30, 2024: Legacy downloads formats no longer updated with new CVE Records.

Any tools or automation that use these old formats may no longer work once the old formats have been deprecated, so organizations should take action now.

New CVE Content Format Is Available for Use

CVE Downloads in our new official data format for CVE Records, “CVE JSON 5.0,” are hosted in the cvelistV5 repository on GitHub.com. Update frequency and other details are available in the repository ReadMe.

CVE JSON 5.0 is a richer, more structured format for vulnerability identification and description and will provide enhanced information for your customers. The schema for this new format is also available on GitHub.

Take Action Now!

We are informing the community now so that product teams will have time to update their tools to the new CVE format prior to these legacy format download files no longer being updated after June 30, 2024.

If you have any comments or concerns, please use the CVE Program Request forms and select “Other” from the dropdown menu.



CVE Program Blog

The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. https://www.cve.org