CVE vs CWE: What is the Difference?
Last reviewed June 2, 2026
A CVE is a specific vulnerability instance in a specific product (for example, a particular SQL injection bug in one version of an app). A CWE is the weakness type, the root-cause category, behind it (SQL Injection in general). A CVE is usually mapped to one primary CWE, and a single CWE can be the root cause of thousands of CVEs.
CVE vs CWE at a glance
The simplest way to keep them straight: a CVE is an instance, a CWE is a type. A CVE records one concrete vulnerability in one product; a CWE names the general class of flaw that produced it.
| Aspect | CVE | CWE |
|---|---|---|
| Stands for | Common Vulnerabilities and Exposures | Common Weakness Enumeration |
| What it identifies | A specific vulnerability instance in a specific product | A type of weakness (root-cause category) |
| Example | CVE-2021-44228 (Log4Shell in Apache Log4j) | CWE-502 (Deserialization of Untrusted Data) |
| Scope | One product and version range | Applies across all products that share the flaw |
| Assigned by | CNAs and coordinated through the CVE Program | Curated by MITRE as a catalog |
| Cardinality | Maps to one primary CWE (sometimes more) | One CWE underlies many CVEs |
| Question it answers | Which specific bug is this? | What kind of mistake caused it? |
What a CVE is
CVE stands for Common Vulnerabilities and Exposures. Each CVE record is a unique identifier (such as CVE-2021-44228) for a single, specific vulnerability in a specific product, assigned by a CVE Numbering Authority (CNA). It is the common reference number the whole industry uses to talk about the same bug.
What a CWE is
CWE stands for Common Weakness Enumeration. Each CWE describes a weakness type, the underlying kind of flaw, such as CWE-79 (Cross-site Scripting) or CWE-89 (SQL Injection). It is not tied to any one product. A CWE captures the root cause that many separate CVEs share.
How they connect
When a CVE is published, it is usually mapped to a primary CWE that names its root cause. That mapping is what lets you move from "we have 200 open CVEs" to "most of them are CWE-79 and CWE-89, so we should harden input handling." Fixing the CWE pattern prevents whole families of future CVEs, while fixing a CVE addresses one instance.
Keep exploring
Frequently asked questions
- Is a CWE more general than a CVE?
- Yes. A CWE is a general weakness type, while a CVE is one specific instance of a vulnerability in a particular product. A single CWE can underlie thousands of CVEs.
- Does every CVE map to a CWE?
- Most do. CNAs and the NVD typically assign a primary CWE to a CVE, though some older or sparse records may lack a precise mapping.
- Can one CVE map to multiple CWEs?
- Yes. A CVE has a primary CWE but can be associated with additional CWEs when more than one weakness contributes to the vulnerability.
- Which should I track to reduce risk?
- Track both. CVEs tell you which specific bugs to patch now; CWEs reveal recurring root causes so you can fix patterns and prevent future vulnerabilities.
