What is CVE?

CVE is a standardized identification system that assigns unique identifiers to publicly known cybersecurity vulnerabilities, enabling consistent tracking and communication across security tools.

What is CVE?

CVE (Common Vulnerabilities and Exposures) is a system that provides unique identifiers (CVE IDs) for publicly known cybersecurity vulnerabilities. Maintained by MITRE and funded by CISA, CVE provides a standardized reference for vulnerability identification, enabling consistent communication and coordination across security tools, databases, and organizations worldwide.

How are CVE IDs structured?

CVE IDs follow the format CVE-YYYY-NNNNN where YYYY is the year the ID was assigned and NNNNN is a sequential number. For example, CVE-2021-44228 identifies the Log4Shell vulnerability. The numbering system supports IDs with four or more digits to accommodate the growing volume of reported vulnerabilities each year.

Who assigns CVE IDs?

CVE IDs are assigned by CVE Numbering Authorities (CNAs), which include software vendors (Microsoft, Google, Apple), security research organizations, and MITRE as the primary CNA. Over 300 CNAs worldwide can assign CVE IDs for vulnerabilities in their scope, enabling distributed identification as vulnerability volume grows.

What information does a CVE entry contain?

A CVE entry contains the unique identifier, a brief description of the vulnerability, references to advisories and patches, affected product and version information, and links to detailed analysis in the NVD (National Vulnerability Database). The NVD enriches CVE entries with CVSS scores, CWE classifications, and CPE identifiers.

How does CVE relate to the NVD?

The NVD (National Vulnerability Database) is a NIST-maintained database that builds upon CVE data by adding CVSS severity scores, CWE weakness classifications, CPE product identifiers, and remediation information. CVE provides the unique identifier while NVD provides the enriched analysis that vulnerability management tools consume.

How do organizations use CVE in vulnerability management?

Organizations use CVE IDs to consistently track vulnerabilities across scanning tools, advisories, and patches. Vulnerability scanners report findings using CVE IDs, enabling correlation with patch management systems, threat intelligence feeds, and compliance requirements. CVE provides the common language linking discovery to remediation.

What happens when a CVE is disputed or rejected?

CVE entries can be disputed when affected vendors or researchers disagree with the vulnerability assessment. Disputed CVEs are marked but not removed. Rejected CVEs (typically duplicates or invalid reports) are kept in the database with a rejected status to prevent ID reuse and maintain historical record integrity.

How does CVE support penetration testing?

Penetration testers reference CVE IDs in reports to provide clients with standardized vulnerability identification that maps to vendor patches, CVSS scores, and exploit databases. CVE references enable clients to quickly locate remediation guidance, verify patching status, and track vulnerability resolution across their environment.