Skip to main content

Common Vulnerabilities and Exposures (CVE)

CVE assigns a unique public identifier to each disclosed security vulnerability, enabling consistent tracking across tools and organizations.

Common Vulnerabilities and Exposures (CVE) is a standardized system for naming publicly disclosed security vulnerabilities. Each entry gets a unique identifier, such as CVE-2021-44228 (Log4Shell), so everyone refers to the same flaw by the same name.

How It Works

The CVE program is run by MITRE and sponsored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). A network of CVE Numbering Authorities (CNAs), including major vendors and research organizations, can assign identifiers within their scope.

A CVE ID follows the format CVE-YEAR-NUMBER. Each record includes a brief description of the vulnerability, the affected products and versions, and references to advisories and fixes. The CVE entry itself is an identifier and description; severity is scored separately, usually with CVSS, and enriched data appears in databases like the U.S. National Vulnerability Database (NVD).

Security scanners, SBOM tools, and dependency checkers match the components you use against CVE records to tell you whether you are exposed.

Why It Matters

Before CVE, different vendors and tools described the same flaw in incompatible ways, making coordination difficult. A shared, unique identifier lets defenders, vendors, and tools communicate precisely about a vulnerability, track remediation, and automate scanning.

CVE is the backbone of vulnerability management. Combined with an SBOM, it lets organizations quickly determine whether a newly announced flaw affects their software and where. It is central to supply chain security and prioritized remediation.

CVE identifies a vulnerability but does not rate its risk; that requires CVSS scores and context such as exploitability and exposure.

Related Terms

CVE entries are scored with CVSS, matched against SBOM inventories, and are core to supply-chain security and threat modeling.