Summary
CVE (Common Vulnerabilities and Exposures) is a publicly maintained dictionary of known security vulnerabilities and exposures, each assigned a unique identifier to enable consistent reference across tools and organizations.
What is CVE?
CVE is a program maintained by MITRE Corporation and sponsored by the U.S. Department of Homeland Security. Each entry in the CVE list receives a unique ID in the format CVE-YEAR-NUMBER, a brief description, and references to related advisories and patches.
The system provides a common language for discussing vulnerabilities across different security products, databases, and organizations. Security scanners, patch management tools, and vulnerability databases all reference CVE IDs to allow consistent tracking.
The National Vulnerability Database (NVD), maintained by NIST, enriches CVE entries with severity scores using the Common Vulnerability Scoring System (CVSS), helping organizations prioritize remediation efforts.
Why is CVE relevant?
- Standardization: A shared identifier allows teams, tools, and vendors to reference the same vulnerability without ambiguity
- Prioritization: CVSS scores attached to CVE entries help organizations focus on the highest-risk issues first
- Compliance: Many regulatory frameworks require organizations to track and remediate known CVEs within defined timeframes
- Automation: Security pipelines can automatically block or flag software components with known CVE entries