A CVE (Common Vulnerabilities and Exposures) is a unique identifier for a publicly disclosed security vulnerability. The CVE program, run by MITRE and sponsored by CISA, assigns each vulnerability an ID like CVE-2021-44228 so that everyone — vendors, researchers, and scanners — can refer to the same flaw unambiguously.

What does the CVE ID format mean?

A CVE ID has three parts: the CVE prefix, the year it was reserved, and a sequence number, for example CVE-2024-3094. The year is when the ID was assigned, not necessarily when the bug was found or disclosed. The sequence number has no fixed length and can be four or more digits.

What is the difference between a CVE and a CVSS score?

A CVE is the identifier for a vulnerability; a CVSS score is a 0-10 number that rates that vulnerability's severity. One CVE has one CVSS base score. CVE answers 'which vulnerability?' and CVSS answers 'how severe is it?'

CVE IDs are assigned by CVE Numbering Authorities (CNAs) — over 350 organizations including software vendors like Microsoft, Red Hat, and GitHub, as well as MITRE itself. Each CNA can assign IDs for vulnerabilities in its own products or scope.

Does every vulnerability get a CVE?

No. Many vulnerabilities are fixed quietly without a CVE, and some ecosystems track advisories that never receive a CVE ID. This is one reason scanners query multiple databases — NVD, OSV, GHSA, and vendor trackers — rather than relying on CVE records alone.

Security Concepts

What Is a CVE? A Plain-English Guide to Vulnerability IDs

Name: ScanRook
Author: ScanRook

Published June 3, 2026 · 10 min read

If you have ever run a vulnerability scan, you have seen identifiers like CVE-2021-44228 scroll past. CVE is the shared vocabulary the entire security industry uses to name vulnerabilities. This guide explains what a CVE is, how the system works, and how it connects to the other acronyms — CVSS, CWE, EPSS, KEV — you will run into right beside it.

CVE, defined

CVE stands for Common Vulnerabilities and Exposures. A CVE is a unique, public identifier assigned to a single security vulnerability so that everyone can refer to the same flaw without ambiguity. Before CVE existed, two security tools might describe the same bug in completely different terms; the CVE program, launched in 1999, gave the world one name per vulnerability.

A CVE record is deliberately minimal. At its core it contains an ID, a short description of the vulnerability, and references — links to advisories, patches, and research. It is a catalog entry, not a full technical report. The severity scoring and software matching that make a CVE actionable are added by other systems layered on top.

Reading a CVE ID

Every CVE ID follows the same pattern. Take CVE-2021-44228 (the Log4Shell vulnerability):

CVE — the fixed prefix, identifying it as a CVE record.
2021 — the year the ID was reserved, which is not always the year the bug was disclosed.
44228 — an arbitrary sequence number. It has no fixed length; since 2014 it can be four or more digits, so high-volume years produce six- and seven-digit numbers.

A common misconception is that a higher sequence number means a more recent or more severe bug. It means neither — the number is just the next one available when the ID was assigned.

Who runs the CVE program?

The CVE program is operated by the CVE Program at the MITRE Corporation, a US non-profit, and is sponsored by CISA (the US Cybersecurity and Infrastructure Security Agency). MITRE does not personally catalog every vulnerability on Earth. Instead, the work is distributed across CVE Numbering Authorities (CNAs).

A CNA is an organization authorized to assign CVE IDs within a defined scope. There are over 350 of them, including major vendors like Microsoft, Red Hat, Google, Apple, Oracle, and GitHub. When a vulnerability is found in Red Hat's products, Red Hat (as a CNA) can assign the CVE itself. This federation is what lets the program keep up with tens of thousands of new vulnerabilities a year.

The CVE lifecycle

A CVE moves through a predictable set of states from discovery to a fully enriched record:

Discovery & report. A researcher or vendor finds a flaw and reports it, usually under coordinated disclosure.
Reserved. A CNA reserves a CVE ID. At this stage the ID exists but details are withheld — you may see a status of “RESERVED” with no description.
Published. Once the issue is disclosed (often alongside a patch), the CNA publishes the description and references.
Enriched. The National Vulnerability Database (NVD) and others add a CVSS severity score, CPE product identifiers, and weakness classifications. This is what turns a bare ID into something a scanner can act on.

That enrichment step matters in practice. In 2024 the NVD fell badly behind on enriching new CVEs, which left many records published but un-scored for weeks. Modern scanners work around this by pulling data from several sources rather than waiting on a single one.

CVE vs CVSS vs CWE vs EPSS vs KEV

These acronyms travel together and are constantly confused. Here is the one-line distinction for each:

Term	Answers the question	Example
CVE	Which vulnerability is it?	CVE-2021-44228
CVSS	How severe is it (0–10)?	10.0 (Critical)
CWE	What class of weakness is it?	CWE-502 (unsafe deserialization)
EPSS	How likely is it to be exploited?	0.94 (94% in 30 days)
KEV	Is it being exploited right now?	Listed in CISA KEV

A CVE is the noun; the others are adjectives that describe it. We cover CVSS scoring, EPSS, and the CISA KEV catalog in their own deep dives.

Where CVE data lives

The canonical list of CVE records is published by the CVE program itself, but most tools consume CVE data through downstream databases that add their own value:

NVD — adds CVSS scores and CPE product matching on top of CVE records.
OSV — open-source-focused, with precise affected-version ranges per ecosystem.
GHSA — GitHub Security Advisories, strong on npm, pip, and other package managers.
Vendor trackers — Red Hat, Debian, and Ubuntu publish their own data that accounts for backported fixes.

No single source is complete, which is why good scanners merge several. For a side-by-side breakdown, see our CVE database comparison.

How a scanner connects CVEs to your software

A CVE on its own is just a catalog entry. A vulnerability scanner makes it relevant to you by inventorying the packages in your container image, binary, or source tree, then matching each package and version against the affected ranges in CVE-derived data. When a match is found, that CVE becomes a finding in your report.

The accuracy of that matching is where scanners differ most. Matching loosely on a product name produces false positives; reading the actual installed package state and honoring vendor backports produces findings you can trust. We unpack that distinction in installed-state scanning vs. advisory matching.

Frequently asked questions

What does CVE stand for?

Common Vulnerabilities and Exposures. It is a program, run by MITRE and sponsored by CISA, that assigns a unique public ID to each disclosed security vulnerability.

Is a CVE the same as a vulnerability?

Effectively, in everyday use — but precisely, a CVE is the identifier and record for a vulnerability, not the flaw itself. The flaw can exist before a CVE is assigned and may never get one.

What is a CVE vs a CWE?

A CVE identifies a specific vulnerability in specific software. A CWE (Common Weakness Enumeration) identifies the category of mistake behind it, such as SQL injection or buffer overflow. One CWE category covers thousands of individual CVEs.

Who can request a CVE?

Anyone can request one, but the assignment goes through a CNA — either the vendor of the affected product (if they are a CNA) or MITRE and its “CNA of last resort” for everything else.

Find the CVEs in your software with ScanRook

Upload a container image, binary, or source archive and ScanRook matches every package against CVE data from OSV, NVD, GHSA, and vendor trackers — then ranks the findings by CVSS severity, EPSS exploit probability, and CISA KEV status so you know what to fix first.

Start scanning Read the docs