loading
Loading content
loading
Also known as Common Vulnerabilities and Exposures
A CVE identifier gives a single disclosed vulnerability one canonical name that every vendor, scanner, and advisory can agree on. The format is CVE followed by the year and a sequence number, such as CVE-2021-44228 for the Log4Shell flaw in Apache Log4j. The MITRE Corporation runs the program, and authorized CVE Numbering Authorities assign IDs as flaws are coordinated and disclosed.
The value is interoperability. When a scanner reports CVE-2021-44228, a defender can pull the matching advisory, check whether their Log4j version is affected, and search public databases for an exploit. Without a shared identifier, the same bug carries a dozen vendor-specific names and correlation falls apart.
A CVE is an identifier, not a severity rating. The CVSS score that often accompanies it expresses how serious the flaw is, and a zero-day may have no CVE assigned until disclosure happens.
In an automated workflow, CVE IDs are the join key. Trickest pipelines tag findings from vulnerability scanning with CVE numbers, then enrich, deduplicate, and route them by matching against feeds keyed on the same identifiers.
Related terms