What is VEX (Vulnerability Exploitability eXchange)?
Last reviewed June 2, 2026
VEX (Vulnerability Exploitability eXchange) is a form of machine-readable security advisory whose purpose is to state whether a specific product is actually affected by a given vulnerability. For each CVE, a VEX statement gives a status such as Not Affected, Affected, Fixed, or Under Investigation, often with a justification. It lets vendors tell customers that a CVE flagged in their software is not actually exploitable in that product, cutting down on false-positive scanner noise.
VEX in one sentence
VEX, the Vulnerability Exploitability eXchange, is a way for a producer to communicate, in machine-readable form, whether a particular product is actually affected by a particular vulnerability. It answers a narrow but crucial question: this CVE shows up in association with your product, but does it actually expose you?
VEX is essentially a specialized profile of a security advisory focused on exploitability status. It is not a new vulnerability database; it is a statement about the relationship between one product and one or more known CVEs.
The problem VEX solves
Modern software is full of third-party components, and tools that scan a Software Bill of Materials (SBOM) will flag every CVE associated with every component. But a component can contain vulnerable code that the product never actually calls, or that is mitigated by configuration, so many of those alerts are false positives.
Chasing false positives wastes scarce remediation effort. VEX lets the supplier say authoritatively that a given CVE does not affect their product, so downstream teams can deprioritize it with confidence instead of investigating from scratch.
VEX statuses
A VEX statement assigns each product-and-vulnerability pair a status. The four standard statuses are concise and unambiguous.
| Status | Meaning |
|---|---|
| Not Affected | No remediation required for this product, even though the CVE is associated with it |
| Affected | Actions are recommended to remediate or address this vulnerability |
| Fixed | The product version contains a fix for the vulnerability |
| Under Investigation | It is not yet known whether this product is affected |
Formats and where VEX fits
VEX is a concept rather than a single file format. It can be expressed within the OASIS CSAF advisory standard (which has a dedicated VEX profile), as standalone OpenVEX documents, or inside CycloneDX SBOMs. All of them carry the same core idea: product, vulnerability, status, and an optional justification for a Not Affected determination.
Crucially, VEX is about exploitability in a specific product, not about predicting exploitation in the wild. That distinguishes it from EPSS, which estimates the probability any attacker exploits a CVE, and from the CISA KEV, which records confirmed exploitation. VEX answers does this CVE apply to my product at all.
Keep exploring
- What is a security advisory?VEX is a specialized, machine-readable advisory.
- What is a CVE?The vulnerability a VEX statement is about.
- What is a CPE?How products are named for affected-status matching.
- What is EPSS?Predicted exploitation, a different question from VEX.
- What is the CISA KEV?Confirmed exploitation, distinct from product affectedness.
Frequently asked questions
- What does VEX stand for?
- VEX stands for Vulnerability Exploitability eXchange. It is a machine-readable statement of whether a specific product is actually affected by a given vulnerability.
- What problem does VEX solve?
- It cuts false-positive noise from SBOM and component scanning. A vendor can state that a CVE associated with a bundled component does not actually affect their product, so teams stop investigating non-issues.
- What are the VEX statuses?
- The four standard statuses are Not Affected, Affected, Fixed, and Under Investigation. A Not Affected status often includes a justification explaining why.
- Is VEX the same as EPSS or the KEV?
- No. VEX states whether a CVE actually affects a specific product. EPSS predicts the probability of exploitation in the wild, and the CISA KEV records confirmed exploitation. They answer different questions.
