CVEProject · david-rocca · Mar 9, 2026 · Oct 29, 2025 · Jan 7, 2026 · Jan 8, 2026
diff --git a/api-docs/openapi.json b/api-docs/openapi.json
@@ -1,7 +1,7 @@
 {
   "openapi": "3.0.2",
   "info": {
-    "version": "ur-v0.3.0",
+    "version": "2.6.1",
     "title": "CVE Services API",
     "description": "The CVE Services API supports automation tooling for the CVE Program. Credentials are     required for most service endpoints. Representatives of     <a href='https://www.cve.org/ProgramOrganization/CNAs'>CVE Numbering Authorities (CNAs)</a> should     use one of the methods below to obtain credentials:    <ul><li>If your organization already has an Organizational Administrator (OA) account for the CVE     Services, ask your admin for credentials</li>     <li>Contact your Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/Google'>Google</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/INCIBE'>INCIBE</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/jpcert'>JPCERT/CC</a>, or     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/redhat'>Red Hat</a>) or     Top-Level Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/icscert'>CISA ICS</a>     or <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/mitre'>MITRE</a>) to request credentials     </ul>     <p>CVE data is to be in the JSON 5.2 CVE Record format. Details of the JSON 5.2 schema are     located <a href='https://github.com/CVEProject/cve-schema/releases/tag/v5.2.0' target='_blank'>here</a>.</p>    <a href='https://cveform.mitre.org/' class='link' target='_blank'>Contact the CVE Services team</a>",
     "contact": {

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
     "name": "cve-services",
     "author": "Automation Working Group",
-    "version": "ur-v0.3.0",
+    "version": "2.6.1",
     "license": "(CC0)",
     "devDependencies": {
         "@faker-js/faker": "^7.6.0",

diff --git a/src/controller/cve.controller/cve.middleware.js b/src/controller/cve.controller/cve.middleware.js
@@ -178,6 +178,32 @@ function datePublicHelper (datePublic) {
   return currentDate > datePublicWithGracePeriod
 }
 
+/**
+ * Checks that timeline.time fields are valid datetime objects.
+ * This accounts for invalid timezone offsets that aren't handled by the schema.
+ *
+ * @param {String} dateIndex
+ * @returns true
+ * @throws Error
+ */
+function validateTimelineDates (dateIndex) {
+  // Check if datePublic is a future date
+  return body(dateIndex).isArray().withMessage('Time must be a date string').optional({ nullable: true }).bail().custom((timelineArray) => {
+    for (const timelineObj of timelineArray) {
+      const value = new Date(timelineObj.time)
+      if (!validateTimelineHelper(value)) {
+        throw new Error(`Invalid date string: ${timelineObj.time} `)
+      }
+    }
+
+    return true
+  })
+}
+
+function validateTimelineHelper (value) {
+  return value instanceof Date && !isNaN(value)
+}
+
 // Organizations in the ADP pilot are generating JSON programatically, and thus
 // informing them about the result of the final validation (against the full
 // CVE Record schema) is currently sufficient.
@@ -290,6 +316,7 @@ module.exports = {
   validateDescription,
   validateRejectBody,
   validateDatePublic,
+  validateTimelineDates,
   datePublicHelper,
   validatePURL,
   purlValidateHelper