As of July 13th, 2022, NVD will stop generating Vector Strings or Severity Score for CVSS v2. This means the existing CVSS v2 information will remain in the database but the NVD will no longer actively populate CVSS v2 for new CVEs.
This change comes as CISA policies that rely on NVD data fully transition away from CVSS v2.
Here are the historical of the CVSS version and the timeline.
Timeline | CVSS v2 | CVSS v3 | CVSS v4 |
---|---|---|---|
2007 - 2014 | Yes | No | - |
2015 - 2022 | Yes | Yes | - |
2022 - now | No | Yes | - |
2024 | No | Yes | (tentatively) |
As of July 22nd, 2022, XML URLs will be removed from the data feeds page (according to phase 2 of XML retirement plan).
However, NVD will continue to update the feed and host the URLs. And any automated process that downloads the XML feeds should not be impacted.