A browser-based CVE management client for CVE Services 2.x API, built for CVE Numbering Authorities (CNAs) and Roots. Manage CVE records using CVE JSON 5.x directly from your browser — no software to install, no data collected, no backend required.
Privacy: This application runs entirely in your browser. It does not store any data on a server, does not track usage, and does not phone home. Your API key is encrypted locally using RSA-OAEP 4096-bit encryption before being stored in browser storage.
| Version | |
|---|---|
| CVE Services API | 2.x (API docs, local OpenAPI spec) |
| CVE JSON Schema | 5.x (schema docs, local schema) |
| Environment | URL | Use Case |
|---|---|---|
| Production | https://cveawg.mitre.org/api |
Live CVE record management |
| Test | https://cveawg-test.mitre.org/api |
Testing and training |
| Local | http://127.0.0.1:3000/api |
Local CVE Services instance |
Select your environment from the dropdown at login.
- CVE Record Management — Create, update, reject, and reserve CVE IDs
- Form-Based Editor — Tabs for Minimal (required fields only), All Fields (full schema), JSON (direct editing with Ace editor), and ADP views
- Guided CVE Chatbot — Step-by-step wizard that walks you through building a CVE record field by field, with CWE autocomplete
- AI Review — Review your CVE record with ChatGPT, Claude, or Gemini before publication. Shows the full prompt for transparency, then copies to clipboard and opens your chosen provider.
- User Management — Create, update, and list users within your CNA organization (admin role required)
- Organization Info — View org details and remaining CVE ID quota
- Offline Mode — Click "Skip" at login to create and edit mock CVE records without connecting to CVE Services, useful for drafting or training
- Encrypted Credentials — API keys are encrypted with RSA-OAEP 4096-bit keys before storage. See RISKS.md for a full discussion of browser API key security.
Visit https://certcc.github.io/cveClient/ and log in with your CNA short name, username, and API key. No installation required. The demo connects directly to CVE Services and does not store any data.
cveClient is a static web application — just serve the files from any web server:
git clone https://github.com/CERTCC/cveClient.git
cd cveClient
# Any of these will work:
python3 -m http.server 8080
npx serve .
php -S localhost:8080Open http://localhost:8080 and log in. For production deployment with Content-Security-Policy headers, Apache/Nginx configuration examples, and more, see INSTALL.md.
Using API keys in a browser carries inherent risks. See RISKS.md for:
- Why browser-based API key usage is a known risk for CNAs
- Precautions your organization should take (browser hardening, user audits, key rotation)
- How cveClient mitigates risk with RSA-OAEP encryption
- Content-Security-Policy recommendations for self-hosted deployments
See CHANGELOG.md for the full version history.
See CONTRIBUTING.md for architecture details, local development setup, Node.js library usage, running tests, and dependency information.
See LICENSE for license information.
