CVE vs CWE vs CAPEC: What is the Difference?
Last reviewed June 2, 2026
These three MITRE standards describe different layers of the same problem. A CWE is a weakness type (the flaw), a CVE is a specific vulnerability instance of that weakness in a product, and a CAPEC is an attack pattern (the method an adversary uses to exploit the weakness). In short: a CAPEC attack targets a CWE weakness, which manifests as a CVE instance.
CVE vs CWE vs CAPEC at a glance
Think of three layers: the attack (CAPEC), the weakness it targets (CWE), and the concrete bug that weakness produces in a product (CVE). The chain reads CAPEC targets CWE, which manifests as CVE.
| Aspect | CVE | CWE | CAPEC |
|---|---|---|---|
| Stands for | Common Vulnerabilities and Exposures | Common Weakness Enumeration | Common Attack Pattern Enumeration and Classification |
| What it describes | A specific vulnerability instance | A weakness type (root cause) | An attack pattern (how to exploit) |
| Perspective | What is broken, where | The kind of flaw | How an attacker abuses it |
| Example | CVE-2021-44228 (Log4Shell) | CWE-89 (SQL Injection) | CAPEC-66 (SQL Injection) |
| Scope | One product and version | All products with the flaw | Any system with the targeted weakness |
| Maps to | A primary CWE | CVEs (instances) and CAPECs (attacks) | The CWEs it targets (and often ATT&CK) |
CWE: the weakness
CWE is the root-cause layer. A CWE such as CWE-89 (SQL Injection) names a category of flaw independent of any product. It is the defender-centric view: what kind of mistake exists in the code or design.
CVE: the instance
CVE is the instance layer. A CVE such as CVE-2021-44228 (Log4Shell) is one specific, real vulnerability in one specific product, assigned by a CNA. A CVE is usually mapped to a primary CWE, tying the concrete bug back to its weakness type.
CAPEC: the attack
CAPEC is the attacker layer. A CAPEC such as CAPEC-66 (SQL Injection) describes the method an adversary uses to exploit a weakness, including prerequisites, steps, and consequences. CAPEC entries map to the CWE weaknesses they target, and many also map to MITRE ATT&CK techniques.
Putting it together
- CAPEC-66 (SQL Injection attack) targets CWE-89 (the SQL injection weakness type).
- CWE-89 is the root cause behind many individual CVEs in real products.
- Each of those CVEs is a specific, patchable instance assigned a unique identifier.
- To reduce risk: detect and prevent the CAPEC attack, fix the CWE pattern in code, and patch the affected CVEs.
Keep exploring
- CVE vs CWEThe two-way comparison without attack patterns.
- What is a CWE?The weakness-type layer explained.
- What is CAPEC?The attack-pattern layer explained.
- Browse the CAPEC directoryExplore attack patterns and their target weaknesses.
- Browse the CWE directoryExplore weakness types and mapped CVEs.
- MITRE ATT&CK vs CAPECObserved behavior versus abstract attack patterns.
Frequently asked questions
- How do CVE, CWE, and CAPEC relate?
- A CAPEC attack pattern targets a CWE weakness type, which manifests as a CVE vulnerability instance in a specific product. The three layers form a chain from attack to weakness to instance.
- Does a CVE link directly to a CAPEC?
- Usually not directly. A CVE maps to a CWE, and CAPEC entries map to CWEs, so a CVE connects to relevant attack patterns through its shared weakness type.
- Are all three maintained by MITRE?
- Yes. MITRE maintains CWE and CAPEC and coordinates the CVE Program, all with community input and public sponsorship.
- Which one should I use for threat modeling?
- CAPEC is best for threat modeling because it enumerates attack methods. Pair it with CWE to identify the weaknesses to fix and CVE data to track real instances.
