What is a CPE (Common Platform Enumeration)?
Last reviewed June 2, 2026
A CPE (Common Platform Enumeration) is a standardized naming scheme for IT products, platforms, and operating systems. A CPE name is a structured string in the form cpe:2.3:part:vendor:product:version:..., and it lets a CVE state precisely which products and versions are affected. By matching CPE names against installed software, tools can automatically tell whether a given CVE applies to a system.
CPE in one sentence
Common Platform Enumeration (CPE) is a structured way to name a product, platform, or operating system so that different tools refer to the same thing in the same way. It is the product-identification counterpart to the CVE's vulnerability identification.
Where a CVE names the flaw, a CPE names the affected product. Linking the two answers the practical question: does this vulnerability apply to the software I am actually running?
The cpe:2.3 string format
The current version is CPE 2.3, written as a colon-delimited formatted string. The general shape is cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other.
The part field is a for applications, o for operating systems, and h for hardware. Fields that are not applicable use an asterisk for any or a hyphen for not-applicable.
- cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:* -- the Log4j application at version 2.14.1.
- cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:* -- the Windows 10 operating system, any version.
How CPEs express what a CVE affects
A CVE record references CPE names in applicability statements that describe the set of affected products. These can include version ranges -- for example, all versions of a product before a fixed release -- so a single statement can cover many builds.
The NVD is a primary source of these CPE applicability statements, and CISA's Vulnrichment ADP also adds CPE data to records, which is what allows scanners to map a CVE to concrete installed software.
Why CPEs matter
Without a common product vocabulary, matching vulnerabilities to assets would rely on fuzzy text matching of vendor and product names, which is error-prone. CPE gives that vocabulary a structured form.
In practice, CPE is what lets a vulnerability scanner say a specific CVE affects a specific host. It is the bridge between the abstract CVE record and your concrete inventory.
Keep exploring
- What is a CVE?The vulnerability a CPE is matched against.
- What is the NVD?A primary source of CPE applicability data.
- What is a CWE?The weakness-type counterpart to CPE.
- Browse vendorsExplore products and their vulnerabilities.
- CNA vs Root vs ADPWhere CPE enrichment fits in the program.
- What is an SBOM?A machine-readable inventory of software components.
- What is OSV?Open, distributed database for open-source vulnerabilities.
Frequently asked questions
- What does CPE stand for?
- CPE stands for Common Platform Enumeration, a standardized naming scheme for IT products, platforms, and operating systems.
- What does a CPE string look like?
- A CPE 2.3 name is a colon-delimited string such as cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:*, which identifies an application, vendor, product, and version.
- How is a CPE related to a CVE?
- A CVE uses CPE names in its applicability statements to declare exactly which products and versions the vulnerability affects.
- Where do CPE applicability statements come from?
- Primarily the NVD's analysis, with CISA's Vulnrichment ADP adding CPE data directly to CVE records as well.
