CVE (Common Vulnerabilities and Exposures)
CVE (Common Vulnerabilities and Exposures) is a standardized system of unique identifiers for publicly known cybersecurity vulnerabilities, maintained by the MITRE Corporation.
The Common Vulnerabilities and Exposures (CVE) system provides a standardized method for identifying and cataloging publicly disclosed cybersecurity vulnerabilities. Each CVE entry is assigned a unique identifier in the format CVE-YEAR-NUMBER (for example, CVE-2021-44228 for the Log4Shell vulnerability). This standardized naming convention allows security professionals, vendors, and organizations worldwide to reference the same vulnerability unambiguously.
The CVE program is sponsored by the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and operated by the MITRE Corporation. CVE Numbering Authorities (CNAs), which include major technology vendors and security research organizations, are authorized to assign CVE identifiers to newly discovered vulnerabilities within their scope.
When a new vulnerability is discovered, a CVE ID is reserved and a description is published in the CVE List. This entry is then enriched with additional technical details, severity scores (via CVSS), affected products, and references in the National Vulnerability Database (NVD). Security tools, vulnerability scanners, and patch management systems use CVE identifiers to correlate findings across different platforms and data sources.
The CVE system is a cornerstone of modern vulnerability management. It enables organizations to track vulnerabilities consistently, share threat intelligence effectively, and ensure that patches and mitigations are applied to the correct issues. Without CVE, communicating about specific vulnerabilities across the industry would be far more error-prone and inefficient.