CVE 📅 Jul 3, 2026 ⏱ 8 min read 👶 Beginner friendly

What is a CVE? Common Vulnerabilities and Exposures Explained

Every week, hundreds of security flaws are discovered in software you use every day — your browser, your VPN client, the server software behind your favourite websites. Without a standard way to name and track these flaws, the security world would be chaos. That is exactly what CVE solves.

This guide explains what CVE is, how a CVE ID works, who assigns them, and why understanding CVEs makes you a better IT professional.

What is a CVE?

CVE stands for Common Vulnerabilities and Exposures. It is a publicly available list of known security flaws — each one given a unique identifier so that security teams, software vendors, and researchers worldwide can talk about the exact same issue without confusion.

In simple terms: CVE is like a registry of every reported pothole on the internet. Each pothole gets a unique ID so everyone — from the driver who found it to the road crew fixing it — is talking about the same hole.

The CVE programme was launched in 1999 by MITRE Corporation, a US non-profit that manages it on behalf of the Department of Homeland Security. Today it contains over 250,000 entries and grows by tens of thousands each year.

How a CVE ID works

Every CVE has an identifier in this format: CVE-YEAR-NUMBER

Example: CVE-2021-44228 is the identifier for Log4Shell, one of the most critical vulnerabilities in history — a flaw in the Apache Log4j logging library that allowed remote code execution on millions of servers.

The number itself carries no severity information. It is purely a label. Severity comes from a separate scoring system (CVSS — covered below).

Pro Tip

When a vendor or security blog mentions a CVE ID, search it directly at nvd.nist.gov — the National Vulnerability Database. You will find the official description, severity score, affected software versions, and links to patches, all in one place.

Who assigns CVEs?

CVE IDs are not assigned by one central team. They are assigned by a network of approved organisations called CVE Numbering Authorities (CNAs).

CNAs include:

A researcher who finds a vulnerability reports it to the relevant CNA. The CNA reviews it, assigns a CVE ID, and publishes a description once it is safe to do so (after a patch is released or a disclosure deadline passes).

The CVE lifecycle

A CVE does not appear overnight. It goes through several stages:

  1. Discovery — a researcher or vendor finds a flaw in software
  2. Private disclosure — the researcher reports it to the vendor (responsible disclosure) or directly to a CNA
  3. CVE reserved — the CNA reserves a CVE ID, which may appear as "RESERVED" in public databases while a fix is being developed
  4. Patch developed — the vendor builds and tests a fix
  5. Public disclosure — the CVE is published along with the patch; users are notified to update
  6. NVD enrichment — the National Vulnerability Database adds CVSS scores, affected versions, and references

The window between discovery and public disclosure is called the embargo period. It typically lasts 90 days — a standard set by Google's Project Zero — giving vendors time to patch before attackers learn about the flaw.

A real-world example: Log4Shell

On 9 December 2021, a security researcher disclosed CVE-2021-44228 — Log4Shell. The flaw was in Apache Log4j, a Java logging library used by thousands of enterprise applications including Amazon, Apple iCloud, Cloudflare, Steam, and countless others.

The vulnerability allowed an attacker to send a single crafted string in a log message — something as simple as a username field — and cause the server to download and execute malicious code from the internet. No authentication required.

Its CVSS score was CRITICAL 10.0 — the highest possible. Within 72 hours, attackers were scanning the entire internet for vulnerable servers. Security teams worldwide dropped everything to patch.

This is why CVEs matter: a single vulnerability in one widely-used library can expose millions of systems simultaneously.

CVE vs CVSS — what is the difference?

These two terms are often confused:

Think of it this way: CVE is the name on the patient's file; CVSS is the triage score that tells the doctor how urgently to treat them.

Severity bands:

Why CVEs matter to you

Even if you are not a security researcher, CVEs affect your daily work:

Action Step

Subscribe to the CISA Known Exploited Vulnerabilities (KEV) Catalog at cisa.gov/kev. It lists CVEs that are being actively exploited right now — these are the ones that need immediate attention, before attackers reach your systems.

Frequently asked questions

What does CVE stand for?

CVE stands for Common Vulnerabilities and Exposures. It is a standardised list of publicly known security flaws in software and hardware, maintained by MITRE Corporation.

Who assigns CVE IDs?

CVE IDs are assigned by CVE Numbering Authorities (CNAs) — approved organisations that include major vendors (Microsoft, Google, Apple), bug bounty platforms (HackerOne), and MITRE itself as the CNA of last resort.

Is every CVE dangerous?

No. CVEs are scored from 0–10 using CVSS. A score below 4 is low severity. Many CVEs have patches available before they are ever exploited in the wild. Focus your urgency on Critical and High scores, especially those appearing in the CISA KEV catalog.

How do I know if my software has a CVE?

Search the National Vulnerability Database at nvd.nist.gov by product name. For code dependencies, run npm audit (Node.js), pip-audit (Python), or enable Dependabot on GitHub to get automatic alerts.

Keep learning on ITVedas

Explore more CVE guides — CVSS scoring, zero-day vulnerabilities, and how to read a full CVE report.

Back to CVE Chapter →