diff --git a/0003-fix-cve-list-get-api-query-error.patch b/0003-fix-cve-list-get-api-query-error.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3bed10956263ef4933253c61d1738479b05ddb42
--- /dev/null
+++ b/0003-fix-cve-list-get-api-query-error.patch
@@ -0,0 +1,63 @@
+From b5b9f18abefeed4906a9aa469e4d0a591a2a5809 Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Fri, 20 Oct 2023 21:43:36 +0800
+Subject: [PATCH 1/1] fix cve_list_get api query error
+
+---
+ apollo/database/proxy/host.py | 13 ++++++++-----
+ database/apollo.sql           | 10 ++++++----
+ 2 files changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/apollo/database/proxy/host.py b/apollo/database/proxy/host.py
+index b3cabb6..2ce2005 100644
+--- a/apollo/database/proxy/host.py
++++ b/apollo/database/proxy/host.py
+@@ -126,15 +126,18 @@ class HostMysqlProxy(MysqlProxy):
+         Returns:
+             dict
+         """
++        subquery = self.session.query(
++            CveHostAssociation.host_id, CveHostAssociation.cve_id, CveHostAssociation.fixed, CveHostAssociation.affected
++        ).filter(CveHostAssociation.host_id.in_(host_ids)).distinct().subquery()
++
+ 
+         host_cve_fixed_list = (
+             self.session.query(
+-                CveHostAssociation.host_id,
+-                func.COUNT(func.IF(CveHostAssociation.fixed == True, 1, None)).label("fixed_cve_num"),
+-                func.COUNT(func.IF(CveHostAssociation.fixed == False, 1, None)).label("unfixed_cve_num"),
++                subquery.c.host_id,
++                func.COUNT(func.IF(subquery.c.fixed == True, 1, None)).label("fixed_cve_num"),
++                func.COUNT(func.IF(subquery.c.fixed == False, 1, None)).label("unfixed_cve_num"),
+             )
+-            .filter(CveHostAssociation.host_id.in_(host_ids))
+-            .group_by(CveHostAssociation.host_id)
++            .group_by(subquery.c.host_id)
+             .all()
+         )
+         return host_cve_fixed_list
+diff --git a/database/apollo.sql b/database/apollo.sql
+index a3c4ddc..c756ad2 100644
+--- a/database/apollo.sql
++++ b/database/apollo.sql
+@@ -179,11 +179,13 @@ BEGIN
+ 				SET @cve_list_page_count_sql = CONCAT(@cve_list_page_count_sql, 'AND cve.severity IN (', severity, ') ');
+     END IF;
+ 		
+-		IF order_by_filed IS NULL or order_by_filed ='' THEN
+-        SET @order_by_filed = 'cve_host_user_count.host_num';
+-    END IF;
++-- 		IF order_by_filed IS NULL or order_by_filed ='' THEN
++--         SET @order_by_filed = 'cve_host_user_count.host_num';
++--     END IF;
++-- 		 MySql 5.7 version '@' index error 
++
++    SET @cve_list_sql = CONCAT(@cve_list_sql, ' ORDER BY ', order_by_filed ,' ', order_by);
+ 		
+-    SET @cve_list_sql = CONCAT(@cve_list_sql, ' ORDER BY ', @order_by_filed ,' ', order_by);
+ 		
+ 		IF end_limt!=0 THEN
+ 			SET @cve_list_sql = CONCAT(@cve_list_sql, ' limit ',start_limt ,' ,', end_limt);
+-- 
+2.33.0
+
diff --git a/aops-apollo.spec b/aops-apollo.spec
index 98ae2c89314319cd0e953b234314aa780b6d3874..c526ceae188d4df9b26a973b2d1faa761d32ccc5 100644
--- a/aops-apollo.spec
+++ b/aops-apollo.spec
@@ -1,6 +1,6 @@
 Name:		aops-apollo
 Version:	v1.3.4
-Release:	3
+Release:	4
 Summary:	Cve management service, monitor machine vulnerabilities and provide fix functions.
 License:	MulanPSL2
 URL:		https://gitee.com/openeuler/%{name}
@@ -69,6 +69,9 @@ popd
 %{python3_sitelib}/aops_apollo_tool/*
 
 %changelog
+* Fri Oct 20 2023 wenxin<wenxin32@foxmail.com> - v1.3.4-4
+- fix cve_list_get api query error
+
 * Fri Oct 20 2023 gongzhengtang<gong_zhengtang@163.com> - v1.3.4-3
 - fix query all by cve list api