What is CVE (Common Vulnerabilities and Exposures)?

Common Vulnerabilities and Exposures (CVE) is a dictionary of publicly disclosed cybersecurity vulnerabilities. Each CVE entry provides a standardized identifier, description, and references for a specific security flaw in a specific product or codebase. Maintained by MITRE Corporation and sponsored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), CVE enables security professionals, vendors, and tools to reference the same vulnerability unambiguously.

CVE identifier format

CVE identifiers follow the pattern: CVE-YEAR-NUMBER

  • CVE-2021-44228: The Log4Shell vulnerability in Apache Log4j
  • CVE-2014-0160: The Heartbleed vulnerability in OpenSSL
  • CVE-2017-5754: The Meltdown CPU vulnerability

The year indicates when the CVE ID was assigned, not necessarily when the vulnerability was discovered or disclosed.

What a CVE entry contains

A CVE record includes:

  1. CVE ID: The unique identifier
  2. Description: Brief explanation of the vulnerability
  3. References: Links to advisories, patches, and technical details
  4. Affected products: Which software versions are vulnerable
  5. CWE mapping: The underlying weakness type (see CWE)

CVE entries intentionally contain minimal information. Detailed technical analysis, exploit code, and severity scores are maintained in linked databases like the National Vulnerability Database (NVD).

The CVE lifecycle

  1. Discovery: A researcher or vendor finds a vulnerability
  2. Request: A CVE ID is requested from a CVE Numbering Authority (CNA)
  3. Assignment: A CVE ID is reserved for the vulnerability
  4. Publication: Details are publicly disclosed
  5. Enrichment: NVD adds CVSS scores, CPE identifiers, and additional analysis

Why CVE matters

Common vocabulary: Before CVE, the same vulnerability might have different names from each vendor. CVE provides a single reference point.

SCA integration: Software composition analysis tools check dependencies against CVE databases. When you run npm audit or pip-audit, they're checking for CVEs affecting your dependencies.

Patch management: Security teams use CVE to track which vulnerabilities affect their systems and prioritize remediation.

Disclosure coordination: CVE enables responsible disclosure. Researchers can reference CVE IDs when reporting to vendors without revealing exploitation details publicly.

CVE and severity

CVE itself doesn't assign severity. The Common Vulnerability Scoring System (CVSS) provides severity scores, which are published in the NVD alongside CVE data:

  • Critical (9.0-10.0): Trivial exploitation, severe impact
  • High (7.0-8.9): Significant risk, likely exploitable
  • Medium (4.0-6.9): Moderate risk, some mitigating factors
  • Low (0.1-3.9): Limited impact or difficult to exploit

Limitations

CVE has known limitations:

  • Backlog: Thousands of vulnerabilities await CVE assignment
  • Coverage gaps: Not all vulnerabilities get CVEs, particularly in less mainstream software
  • Quality variance: Description quality varies by CNA

Despite these limitations, CVE remains the foundational reference system for vulnerability management.

See also: CWE, SCA, OWASP Top 10

The AI Code Review Platform
for fast-moving teams and their agents.

14-day free trial, no credit card needed
For growing teams and enterprises