What are Common Vulnerabilities and Exposures (CVE)?

CVE stands for Common Vulnerabilities and Exposures. It is an internationally recognized standard that provides a unique identifier for publicly known cybersecurity vulnerabilities. Each entry, called a CVE Identifier (e.g., CVE-2024-12345), includes a brief description of the vulnerability and relevant references, making it easier for organizations, vendors, and researchers to speak a common language about security flaws.

Unlike a vulnerability database, CVE is a dictionary of identifiers used to label and track specific vulnerabilities across platforms, tools, and security products. The CVE system is maintained by MITRE and supported by a global network of partners called CVE Numbering Authorities (CNAs).

Why does CVE matter?

CVE matters because it provides a standardized, industry-wide method for identifying and referencing known cybersecurity vulnerabilities. Before CVE was introduced, vendors and security tools used different names and formats to describe the same vulnerabilities, which created confusion, gaps in security coverage, and made it difficult to compare or integrate tools. CVE solved this by assigning unique identifiers, CVE IDs, to individual vulnerabilities, enabling consistent communication across products, services, and organizations. This standardization improves interoperability between tools, facilitates faster vulnerability management, and allows organizations to more accurately assess their exposure and response readiness. CVE also serves as a baseline for evaluating the coverage of security solutions, helping users select the tools that best meet their needs. By making vulnerability information more accessible, shareable, and actionable, CVE plays a critical role in improving global cybersecurity coordination, transparency, and resilience.

What’s the Difference Between CVE and CWE?

CVE (Common Vulnerabilities and Exposures) and CWE (Common Weakness Enumeration) are both maintained by MITRE, but they serve distinct purposes in cybersecurity. CVE identifies specific, real-world vulnerabilities found in software or hardware—each CVE entry corresponds to a unique security issue that has been discovered, reported, and cataloged. In contrast, CWE focuses on the underlying types of flaws or mistakes in software and system design that can lead to vulnerabilities. While CVE entries help security teams track, prioritize, and remediate individual vulnerabilities in their environments, CWE provides a framework for understanding the root causes of those vulnerabilities, such as, improper input validation, buffer overflows, or hard-coded credentials. In essence, CVE answers “What went wrong in this particular case?” while CWE answers “What kind of mistake caused it?” Together, they offer a comprehensive view of both the specific threats to address and the structural issues to prevent.

Related Topics
Vulnerability management
Exploitable vulnerabilities
Continuous threat exposure management (CTEM)

Stay Connected

Subscribe to the latest JupiterOne news

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Recommended resources

Datasheet
CSPM Datasheet | JupiterOne + AWS
Report
The 2023 State of Cyber Assets Report
Datasheet
CAASM Datasheet | JupiterOne
Report
Forrester | Total Economic Impact of JupiterOne
eBook
The Cyber Defense Matrix
Video
CEO Erkang Zheng answers 5 critical cybersecurity questions for organizations