Vulnerability Notes Database Search Help

The vulnerability notes database includes an advanced search page to help you search for vulnerabilities. However, the interactive search page does not enable or document all of the features provided by the search engine. This page provides additional information that allows you to build more detailed search queries.

In general, the vulnerability notes database is full-text indexed. This means that your search will return any document that contains the word you're looking for, regardless of where it appears in the document.

Building complex queries

You can build complex queries using words like and, or, and not. For example, you might want to search for "cgi-bin and not perl". You can also use parentheses in your search criteria: "cgi-bin and not (apache or IIS)". All search terms are case insensitive, with "netbios" matching both "NetBIOS" and "NETBIOS".

Searches match only complete words. For example, "vul" will not match "vulnerability". To match partial words, you can use wildcards like "vul*" to match all words beginning with "vul". You can also use wildcards in the middle of words, such as "f*t" to match both "flowchart" and "format". Question marks will match a single character in searches like "Windows 9?".

Because the search index is word-based, other punctuation is largely ignored. Phrases like "denial-of-service" will match "denial of service" and "denial-of-service", but will not match strings where one of the words is missing, like "denial service", or where words are out of order, like "service denial". Numbers are indexed just like letters in words, so searching for "1072" will find references to "RFC 1072", but if the string to be matched is "RFC1072" (without a space), you need a leading asterisk ("*1072").

Search query URL format

The following is the general format of a search query:


A search request may have several arguments, including query, searchorder, searchmax, searchthesaurus, and searchwv. All arguments are case insensitive and may be supplied in any order, with ampersands separating each argument.

Query argument

This argument is supplied "&query=string", where string is the value to search for. Since spaces are not allowed in URLs, spaces in the query string should be replaced with plus signs. To search for vulnerabilities involving TCP or UDP, you might specify a URL like "/vuls/byid?searchview&query=tcp+or+udp". The query argument corresponds to the text box requesting key words on the interactive search form.

SearchOrder argument

This argument determines the order of the results displayed. The default value is "1," which means to display the results sorted in order by relevance. Other allowed values include "2" and "3," which sort the matched documents by modified date in ascending and descending order respectively. To find the most recent vulnerabilities involving BIND, you might construct a search query like "/vuls/byid?searchview&query=bind&searchorder=3".

SearchMax argument

This argument controls the maximum number of search results returned. While the interactive search form provides a limited number of choices for this argument, any numeric value between 0 and 1000 is allowed. The default value is 250. A value of 0 returns all documents matching the query up to 1000.

SearchThesaurus argument

This argument causes the search engine to use a thesaurus of synonyms while conducting the search. Permitted values are "TRUE" and "FALSE". The default value is "FALSE". The thesaurus has not been refined to include common synonyms in the information security or computer science domains, so it is likely to be of limited use.

SearchWV argument

This argument causes the search to return results for word variants. For example, a search for "browse" would return documents matching "browser" or "browses". Permitted values are "TRUE" and "FALSE". The default value is "TRUE". You can disable this feature in the interactive search form by selecting the "find exact word matches only" checkbox.

An example of a fairly complex search URL is


It returns all vulnerability notes involving SSH and IDEA, or SSH and RC4, with a limit of 50 matches, and without matching any word variants.

Viewing search results

You can also specify which database view should be used to display the results. The interactive search form uses the "by ID" view, but you can build search URLs by hand that use other views, such as "by CVE Name" or "by Date Public". The search results are still sorted by relevance or modification date, but the columns for the selected view will appear in the search results. For example, if you were searching for CVE IDs of compiled help shortcut vulnerabilities, you might want to use this URL:


If you have additional questions about searching the database, please let us know.