Glossary · Security testing

What is CVE?

Also known as: Common Vulnerabilities and Exposures, CVE identifier

CVE stands for Common Vulnerabilities and Exposures, a system that assigns a unique identifier to each publicly disclosed cybersecurity vulnerability. A CVE record uses the format CVE-YYYY-NNNNN and is maintained by the CVE Program, giving the security community a common reference for naming and tracking flaws.

Key takeaways

  • A CVE is a unique, stable identifier for one publicly disclosed vulnerability.
  • Identifiers follow the format CVE-YYYY-NNNNN, where YYYY is the assignment year.
  • The CVE Program coordinates assignment through partner organizations worldwide.
  • A CVE names the flaw; CVSS scores its severity separately.

What exactly is a CVE identifier?

A CVE identifier is a label, not a database of fixes or scores. Its sole job is to give one specific, publicly known vulnerability a unique name so that everyone, from researchers to vendors to defenders, can be certain they are discussing the same issue. Before CVE existed, the same flaw might be described differently by every scanner and advisory, making coordination almost impossible.

Each identifier follows the pattern CVE-YYYY-NNNNN. The four-digit year reflects when the identifier was assigned or the vulnerability was made public, and the numeric sequence uniquely distinguishes it within that year. The sequence portion is variable in length to accommodate the growing volume of disclosures.

Who assigns CVEs and how does the process work?

The CVE Program operates through a federated network of partners known as CVE Numbering Authorities, or CNAs. These are typically vendors, research organizations, and coordination centers authorized to assign identifiers within their own scope. This distributed model lets the program scale across the entire software ecosystem rather than relying on a single central body.

A typical flow involves a researcher discovering a vulnerability, a CNA assigning a CVE identifier, and the details being published once a fix or disclosure timeline allows. The identifier then becomes the anchor that scanners, advisories, and patch notes reference.

How do CVEs fit into security operations?

CVEs are the connective tissue of vulnerability management. Scanners report findings by CVE, threat intelligence tracks exploitation by CVE, and remediation tickets reference CVE so teams can confirm exactly what was fixed. They make it possible to correlate a weakness across many different tools.

It is important to remember what a CVE is not. It does not tell you how severe the flaw is, whether it affects you, or how to fix it. Severity is conveyed by a separate CVSS score, and exposure depends on your specific environment. The CVE is simply the shared name everyone agrees to use.

Frequently asked questions

What does the format CVE-YYYY-NNNNN mean?
The YYYY is the four-digit year the identifier was assigned, and NNNNN is a sequence number that uniquely distinguishes the vulnerability within that year. The numeric portion can be longer than five digits to handle high volumes of disclosures.
Does having a CVE mean a vulnerability is critical?
No. A CVE only names a publicly disclosed vulnerability; it carries no severity judgment. Severity is expressed separately through a CVSS score, and the real risk to you depends on your specific exposure.
Who can assign a CVE identifier?
Identifiers are assigned by CVE Numbering Authorities, a network of authorized vendors, research groups, and coordination centers that operate within defined scopes as part of the CVE Program.

Authoritative sources

← Back to the glossary