What is a vulnerability in cybersecurity?
Last reviewed June 2, 2026
A vulnerability is a weakness or flaw in software, hardware, configuration, or a process that an attacker can exploit to compromise the confidentiality, integrity, or availability of a system. On its own a vulnerability is just a latent weakness; it becomes dangerous when someone has the means and motive to take advantage of it.
What a vulnerability is
A vulnerability is a defect or weakness in a system that, if exploited, allows an attacker to do something they should not be able to do, such as reading protected data, changing it, or knocking a service offline. It can live in source code, a default configuration, a hardware component, or even a human process.
The key word is exploitable. A weakness that no attacker can ever reach or trigger is a much smaller concern than one exposed to the internet. That is why severity scoring systems weigh how reachable and how impactful a flaw is, not just whether the bug exists.
Where vulnerabilities come from
Most vulnerabilities are introduced unintentionally during design, coding, or deployment. A developer might forget to validate input, a team might ship a service with a default password, or a library might contain a flaw inherited by everything that depends on it.
- Coding mistakes, such as missing input validation or unsafe memory handling.
- Design flaws, such as weak authentication or missing access controls.
- Misconfiguration, such as exposed admin panels or permissive defaults.
- Third-party and supply-chain weaknesses inherited from dependencies.
How vulnerabilities are tracked
When a specific vulnerability in a specific product is publicly disclosed, it usually receives a CVE identifier so everyone can refer to the same flaw. The underlying type of weakness, such as SQL injection or buffer overflow, is classified separately under the CWE catalog.
Severity is communicated with CVSS, and the likelihood of exploitation in the wild is estimated with EPSS. Together these let teams move from knowing a flaw exists to deciding how urgently to fix it.
Weakness, vulnerability, and exploit
These terms are related but distinct. A weakness is the general category of mistake (the kind of thing CWE describes). A vulnerability is a concrete instance of that weakness in a real product. An exploit is the code or technique that actually takes advantage of the vulnerability. One weakness type can produce thousands of vulnerabilities, and one vulnerability can have many exploits.
Keep exploring
- What is an exploit?The code or technique that takes advantage of a flaw.
- What is a CVE?How a specific vulnerability gets a public identifier.
- What is a CWE?The catalog of weakness types behind vulnerabilities.
- Vulnerability, threat, and riskHow these three concepts fit together.
- Browse weakness typesExplore the CWE directory of common weaknesses.
Frequently asked questions
- What is the difference between a vulnerability and an exploit?
- A vulnerability is the weakness itself. An exploit is the code or technique that takes advantage of that weakness to cause harm. A vulnerability can exist for years before any working exploit appears.
- Is every bug a vulnerability?
- No. A bug is only a vulnerability if it can be abused to violate security, such as bypassing access controls or leaking data. Many bugs are functional defects with no security impact.
- How are vulnerabilities identified publicly?
- A disclosed vulnerability in a specific product typically receives a CVE identifier, while the underlying type of flaw is classified under a CWE. Severity is rated with CVSS.
- Does a vulnerability mean I have already been hacked?
- No. A vulnerability is a potential entry point, not evidence of a breach. It becomes an active risk only when an attacker exploits it, which is why prioritization and timely patching matter.
