100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cybersecurity

CVE (Common Vulnerabilities and Exposures)

IntermediateConcept11.3K learners

CVE (Common Vulnerabilities and Exposures) is a publicly maintained catalog that assigns a unique, standardized identifier to each publicly disclosed cybersecurity vulnerability, making it easier to reference and track across tools and…

Definition

CVE (Common Vulnerabilities and Exposures) is a publicly maintained catalog that assigns a unique, standardized identifier to each publicly disclosed cybersecurity vulnerability, making it easier to reference and track across tools and organizations.

Overview

Each CVE entry follows the format CVE-YYYY-NNNNN (year of assignment plus a sequence number) and includes a brief description of the affected software and the nature of the flaw. The CVE program is maintained by MITRE Corporation and funded by the U.S. Department of Homeland Security, with CVE Numbering Authorities (CNAs) — vendors, researchers, and coordination centers — authorized to assign new IDs. CVE identifiers alone don't indicate severity; they are typically paired with a Common Vulnerability Scoring System (CVSS) score to communicate how critical a flaw is. Vulnerability scanners, patch management tools, and threat intelligence feeds all reference CVE IDs so that security teams, vendors, and researchers can talk about the exact same issue unambiguously, regardless of which product or vendor discovered it. A zero-day vulnerability typically receives a CVE ID once it becomes publicly known. Understanding how to read, prioritize, and remediate CVEs is essential vulnerability management work, covered in Cloud Security Fundamentals and DevSecOps & Security Automation.

Key Concepts

  • Standardized identifier format: CVE-YYYY-NNNNN
  • Maintained by MITRE, funded by the U.S. Department of Homeland Security
  • Assigned by authorized CVE Numbering Authorities (CNAs)
  • Paired with CVSS scores to communicate severity
  • Referenced across vulnerability scanners, patch tools, and threat feeds
  • Enables unambiguous cross-vendor, cross-tool communication about the same flaw

Use Cases

Vulnerability scanners flagging affected software by matching CVE IDs
Security teams prioritizing patching based on CVE severity (CVSS) scores
Vendors publishing security advisories that reference specific CVEs
Compliance audits requiring evidence that known CVEs have been remediated
Threat intelligence reports tracking which CVEs are being actively exploited

Frequently Asked Questions