CVE (Common Vulnerabilities and Exposures)
CVE (Common Vulnerabilities and Exposures) is a publicly maintained catalog that assigns a unique, standardized identifier to each publicly disclosed cybersecurity vulnerability, making it easier to reference and track across tools and…
Definition
CVE (Common Vulnerabilities and Exposures) is a publicly maintained catalog that assigns a unique, standardized identifier to each publicly disclosed cybersecurity vulnerability, making it easier to reference and track across tools and organizations.
Overview
Each CVE entry follows the format CVE-YYYY-NNNNN (year of assignment plus a sequence number) and includes a brief description of the affected software and the nature of the flaw. The CVE program is maintained by MITRE Corporation and funded by the U.S. Department of Homeland Security, with CVE Numbering Authorities (CNAs) — vendors, researchers, and coordination centers — authorized to assign new IDs. CVE identifiers alone don't indicate severity; they are typically paired with a Common Vulnerability Scoring System (CVSS) score to communicate how critical a flaw is. Vulnerability scanners, patch management tools, and threat intelligence feeds all reference CVE IDs so that security teams, vendors, and researchers can talk about the exact same issue unambiguously, regardless of which product or vendor discovered it. A zero-day vulnerability typically receives a CVE ID once it becomes publicly known. Understanding how to read, prioritize, and remediate CVEs is essential vulnerability management work, covered in Cloud Security Fundamentals and DevSecOps & Security Automation.
Key Concepts
- Standardized identifier format: CVE-YYYY-NNNNN
- Maintained by MITRE, funded by the U.S. Department of Homeland Security
- Assigned by authorized CVE Numbering Authorities (CNAs)
- Paired with CVSS scores to communicate severity
- Referenced across vulnerability scanners, patch tools, and threat feeds
- Enables unambiguous cross-vendor, cross-tool communication about the same flaw