What does CVE stand for?

CVE stands for Common Vulnerabilities and Exposures. It is a public catalog, run with MITRE Corporation as editor, that assigns a unique ID to each known security flaw so everyone refers to it by the same name.

What does a CVE ID look like?

A CVE ID has the form CVE-YEAR-NUMBER, for example CVE-2021-44228, the identifier for the Log4Shell flaw. The year is when the ID was reserved, and the number is a sequential identifier.

What is the difference between a CVE and a CVSS score?

A CVE is the name of a specific flaw. CVSS, the Common Vulnerability Scoring System, is the 0.0 to 10.0 severity number attached to it. The CVE tells you which flaw; the CVSS suggests how bad it is.

Does having a CVE mean my system is exploitable?

Not necessarily. A CVE means a flaw exists in a product or version. Whether you are exploitable depends on whether you run the affected version, whether the vulnerable feature is reachable, and whether compensating controls block the path.

Where can I look up a CVE?

The two main sources are the CVE program's own list and the U.S. National Vulnerability Database (NVD), which enriches each CVE with CVSS scores and affected-version data.

Glossary · Security

What is a CVE?

A CVE (Common Vulnerabilities and Exposures entry) is a unique, public ID assigned to a specific known security flaw, so that every scanner, vendor, news article, and defender can talk about the exact same vulnerability by the exact same name.

What does it mean?

Before CVEs existed, two security tools could find the same flaw and call it two different things, and a defender had no reliable way to know they were looking at one problem instead of two. A CVE solves that with a shared dictionary entry. Each entry has an ID in the form CVE-YEAR-NUMBER — for example CVE-2021-44228, the famous Log4Shell flaw — plus a short description and a list of affected products and versions. The CVE itself is deliberately just an identifier and a brief description; it is the lookup key, not the full story.

Think of it as the ISBN of security flaws. An ISBN does not tell you whether a book is good; it just guarantees that when two people say a number, they mean the same book. A CVE does the same for vulnerabilities, which turns out to be the unglamorous foundation that the entire patching and scanning ecosystem is built on.

Where the term came from

The CVE program launched in 1999, run by the nonprofit MITRE Corporation with funding from the U.S. government, precisely to end the naming chaos described above. The original list held a few hundred entries; today there are well over two hundred thousand. The program works through a federated model: organizations called CVE Numbering Authorities (CNAs) — major vendors like Microsoft, Google, and Apple, plus coordination bodies — are authorized to assign CVE IDs for flaws in their own products, which spreads the workload across the industry instead of bottlenecking on one team.

Alongside the CVE list, the U.S. National Vulnerability Database (NVD), run by NIST, takes each CVE and enriches it with a severity score, structured affected-version data, and references. So in practice, people say "CVE" but pull the actionable details from the NVD.

How it works

The number that usually drives action is not the CVE ID itself but the CVSS score attached to it. CVSS, the Common Vulnerability Scoring System, rates each flaw from 0.0 to 10.0 based on factors like whether it can be exploited remotely, whether it needs authentication, and how much damage it does. Scores bucket roughly into Low, Medium, High, and Critical. A CVE with a 9.8 makes headlines; one with a 3.1 rarely does.

The crucial nuance is that a CVE describes a flaw in a product, not in your system. A CVE rated 10.0 in a library you do not use, or in a version you patched two releases ago, is irrelevant to you. Conversely, a medium-scored CVE in a component sitting on your public login page can be a genuine emergency. This is why mature teams combine CVE data with an accurate inventory of what they actually run — a practice that overlaps heavily with threat modeling. A CVE is the same kind of catalogued object as a generic vulnerability, just with a globally agreed name.

When it matters

CVEs matter most during two moments: routine patching and emergency response. In normal operations, vulnerability scanners cross-reference your software against the CVE list and tell you which known flaws apply, so your team can prioritize updates. In a crisis — when a critical CVE drops for something you depend on — the CVE ID becomes the shared reference everyone from your engineers to your vendors to the security press uses to coordinate the response. Log4Shell (CVE-2021-44228) was the textbook example: a single identifier let the whole world organize a response within hours. For any company pursuing SOC 2 or PCI-DSS, demonstrating a disciplined process for tracking and remediating CVEs is effectively table stakes.

At QUANT LAB

Knowing a CVE exists is easy; knowing whether it is actually exploitable in your environment is the hard part, and it is where our penetration testing work earns its keep. We do not just hand you a scanner dump of every CVE that matches your software inventory — we verify which ones are reachable, which ones chain into a real attack path, and which ones a scanner flagged but an attacker could never reach. We map findings to MITRE ATT&CK so you understand the technique behind the flaw, not just its catalog number. If you want the deeper distinction between an automated scan and human verification, our blog post on what penetration testing actually is lays it out.

Long-form deep-dives that use this term

All posts

Related terms

Worried a CVE affects you?

We will tell you which known flaws are actually exploitable in your stack — not just which ones match your software list. Book a 30-minute call.

Penetration testing services