What is a CVE (Common Vulnerabilities and Exposures)?

CVE stands for Common Vulnerabilities and Exposures. A single CVE is a catalog entry -- an identifier plus a brief record -- that names one publicly disclosed vulnerability in a piece of software, firmware, or hardware.

The point of a CVE is to be a shared reference. When a scanner reports CVE-2021-44228, a vendor advisory cites CVE-2021-44228, and a news article mentions CVE-2021-44228, everyone knows they are talking about the exact same Log4j flaw. Without that common name, each tool and team would invent its own label and coordination would break down.

The CVE Program is operated by MITRE, a non-profit organization, and sponsored by CISA (the U.S. Cybersecurity and Infrastructure Security Agency). MITRE maintains the core infrastructure and the official CVE List, while a distributed network of CVE Numbering Authorities (CNAs) actually assigns IDs and writes records.

This federated model means MITRE does not personally triage every vulnerability on Earth. Instead, vendors like Microsoft, Google, and Red Hat -- plus independent coordinators -- are authorized as CNAs to assign CVE IDs within their own scope.

A common point of confusion: a CVE by itself does not tell you how severe a flaw is or how likely it is to be exploited. The CVE record names the vulnerability; separate systems describe it.

Severity is expressed with CVSS, exploitation likelihood with EPSS, the underlying weakness type with CWE, and the affected products with CPE. The National Vulnerability Database (NVD) and CISA's enrichment programs add much of this data on top of the base CVE record.

CVE IDs are the connective tissue of vulnerability management. Patch advisories, vulnerability scanners, SBOM tooling, threat intelligence feeds, and the CISA Known Exploited Vulnerabilities (KEV) catalog all key off CVE IDs.

Because the identifier is stable and public, you can track one vulnerability from first disclosure through patching, and correlate it across every tool in your stack.