diff --git a/plugins/cvelib/api_key.go b/plugins/cvelib/api_key.go
new file mode 100644
index 00000000..54018e1a
--- /dev/null
+++ b/plugins/cvelib/api_key.go
@@ -0,0 +1,49 @@
+package cvelib
+
+import (
+	"github.com/1Password/shell-plugins/sdk"
+	"github.com/1Password/shell-plugins/sdk/importer"
+	"github.com/1Password/shell-plugins/sdk/provision"
+	"github.com/1Password/shell-plugins/sdk/schema"
+	"github.com/1Password/shell-plugins/sdk/schema/credname"
+	"github.com/1Password/shell-plugins/sdk/schema/fieldname"
+)
+
+func APIKey() schema.CredentialType {
+	return schema.CredentialType{
+		Name:          credname.APIKey,
+		DocsURL:       sdk.URL("https://github.com/RedHatProductSecurity/cvelib"),
+		ManagementURL: sdk.URL("https://vulnogram.github.io/cve5/#cvePortal"),
+		Fields: []schema.CredentialField{
+			{
+				Name:                fieldname.User,
+				MarkdownDescription: "User to authenticate to CVE Services API (CVE user).",
+			},
+			{
+				Name:                fieldname.Organization,
+				MarkdownDescription: "Organization to authenticate to CVE Services API (CNA short name).",
+			},
+			{
+				Name:                fieldname.APIKey,
+				MarkdownDescription: "API Key used to authenticate to CVE Services API (CNA API key).",
+				Secret:              true,
+				Composition: &schema.ValueComposition{
+					Length: 36,
+					Charset: schema.Charset{
+						Lowercase: true,
+						Digits:    true,
+					},
+				},
+			},
+		},
+		DefaultProvisioner: provision.EnvVars(defaultEnvVarMapping),
+		Importer: importer.TryAll(
+			importer.TryEnvVarPair(defaultEnvVarMapping),
+		)}
+}
+
+var defaultEnvVarMapping = map[string]sdk.FieldName{
+	"CVE_USER":    fieldname.User,
+	"CVE_ORG":     fieldname.Organization,
+	"CVE_API_KEY": fieldname.APIKey,
+}
diff --git a/plugins/cvelib/cve.go b/plugins/cvelib/cve.go
new file mode 100644
index 00000000..dc73e0b5
--- /dev/null
+++ b/plugins/cvelib/cve.go
@@ -0,0 +1,25 @@
+package cvelib
+
+import (
+	"github.com/1Password/shell-plugins/sdk"
+	"github.com/1Password/shell-plugins/sdk/needsauth"
+	"github.com/1Password/shell-plugins/sdk/schema"
+	"github.com/1Password/shell-plugins/sdk/schema/credname"
+)
+
+func CVEServicesAPICLI() schema.Executable {
+	return schema.Executable{
+		Name:    "CVE Services API CLI",
+		Runs:    []string{"cve"},
+		DocsURL: sdk.URL("https://github.com/RedHatProductSecurity/cvelib"),
+		NeedsAuth: needsauth.IfAll(
+			needsauth.NotForHelpOrVersion(),
+			needsauth.NotWithoutArgs(),
+		),
+		Uses: []schema.CredentialUsage{
+			{
+				Name: credname.APIKey,
+			},
+		},
+	}
+}
diff --git a/plugins/cvelib/plugin.go b/plugins/cvelib/plugin.go
new file mode 100644
index 00000000..9a47a7bc
--- /dev/null
+++ b/plugins/cvelib/plugin.go
@@ -0,0 +1,22 @@
+package cvelib
+
+import (
+	"github.com/1Password/shell-plugins/sdk"
+	"github.com/1Password/shell-plugins/sdk/schema"
+)
+
+func New() schema.Plugin {
+	return schema.Plugin{
+		Name: "cvelib",
+		Platform: schema.PlatformInfo{
+			Name:     "CVE Services",
+			Homepage: sdk.URL("https://www.cve.org/AllResources/CveServices"),
+		},
+		Credentials: []schema.CredentialType{
+			APIKey(),
+		},
+		Executables: []schema.Executable{
+			CVEServicesAPICLI(),
+		},
+	}
+}