CVE vs CVSS: what is the difference?
Last reviewed June 2, 2026
A CVE is a unique identifier assigned to a single, specific vulnerability, written in the form CVE-YYYY-NNNN. CVSS is a separate framework that rates how severe a vulnerability is on a scale from 0.0 to 10.0. In short, the CVE names the flaw and the CVSS score measures its severity, so a single CVE record commonly carries one or more CVSS scores.
The core difference
CVE and CVSS solve two different problems. CVE answers the question "which vulnerability are we talking about?" by giving every publicly disclosed flaw a stable, unique name. CVSS answers the question "how bad is it?" by producing a numeric severity score.
Because they operate at different layers, they are not interchangeable and they do not compete. A vulnerability is first assigned a CVE identifier, and then a CVSS score can be calculated for that same vulnerability. One is a label, the other is a measurement of the thing the label points to.
Side-by-side comparison
| Attribute | CVE | CVSS |
|---|---|---|
| What it is | A unique identifier for one specific vulnerability | A scoring framework that rates vulnerability severity |
| Format | CVE-YYYY-NNNN, for example CVE-2021-44228 | A decimal number from 0.0 to 10.0 |
| Purpose | Naming and referencing a flaw consistently | Measuring and prioritizing severity |
| Maintained by | The CVE Program, run by MITRE with CNAs | FIRST (Forum of Incident Response and Security Teams) |
| Answers | Which vulnerability is this? | How severe is this vulnerability? |
| Current version | Not versioned; identifier format is stable | CVSS v4.0 (with v3.1 still in wide use) |
| Relationship | Can carry one or more CVSS scores | Is calculated for a specific CVE |
How they work together
In practice the two are used in sequence. A researcher or vendor discovers a flaw, a CNA assigns it a CVE identifier, and the record is published. Severity assessment then follows, where one or more parties compute a CVSS score for that CVE.
A single CVE can hold multiple CVSS scores at once, because different organizations may score the same flaw differently. For example, the vendor (acting as a CNA) and the National Vulnerability Database may each publish their own CVSS score for the same CVE identifier.
- CVE without CVSS: the flaw is named but its severity is not yet rated.
- CVSS without CVE: a severity score with no standard identifier to anchor it, which is uncommon in public disclosure.
- CVE with CVSS: the normal published state, where the flaw is both named and rated.
Why the two are confused
The pairing is the most commonly confused in vulnerability management because the two are almost always presented together. A vulnerability feed will show a CVE identifier next to its CVSS score on the same line, which makes them look like a single combined attribute rather than two distinct concepts.
A useful mental model: the CVE is like a license plate that uniquely identifies a vehicle, and the CVSS score is like a safety rating that describes how dangerous that vehicle is. The plate does not change, but the rating can be revised or assigned by more than one authority.
Keep exploring
- What is a CVE?How vulnerability identifiers are assigned and structured.
- What is CVSS?The framework behind vulnerability severity scores.
- CVSS CalculatorCompute a CVSS score from individual metrics.
- CVSS severity levelsHow numeric scores map to None through Critical.
- How is a CVSS score calculated?The metrics that feed into a final score.
- What is the NVD?The database that enriches CVE records with scores.
Frequently asked questions
- Does every CVE have a CVSS score?
- No. A CVE identifier can be assigned and published before any CVSS score is calculated, and some records remain without a score for a period of time. The identifier and the score are produced by separate processes.
- Can one CVE have more than one CVSS score?
- Yes. Different organizations, such as the affected vendor and the National Vulnerability Database, may each publish their own CVSS score for the same CVE, and scores can differ based on assumptions and CVSS version used.
- Is a higher CVSS score always more urgent to fix?
- Not necessarily. CVSS measures inherent severity, but real-world urgency also depends on exploitation activity and exposure. Many teams combine the CVSS score with signals like EPSS and the CISA KEV catalog to prioritize.
- Who assigns the CVE and who assigns the CVSS score?
- CVE identifiers are assigned by CNAs under the MITRE-led CVE Program. CVSS scores follow a standard maintained by FIRST and can be calculated by vendors, the National Vulnerability Database, or any analyst using the published metrics.
