CVE (Common Vulnerabilities and Exposures).

CVE is a programme launched by MITRE in 1999 and federally sponsored by U.S. CISA/DHS that issues globally unique identifiers (e.g. CVE-2014-0160) to publicly disclosed vulnerabilities. Each entry carries a short description, references to advisories, and the affected product range. Assignment is federated across hundreds of CVE Numbering Authorities (CNAs) — vendors, open-source projects, and coordination centres that allocate IDs within their own scope.

CVE itself does not score severity; CVSS, EPSS, and the CISA KEV list are layered on top. A practical detail many overlook: the ID syntax changed effective January 2015. The old CVE-YYYY-NNNN format capped each year at 9,999 records, so arbitrary-length numbers are now allowed (hence CVE-2021-44228). Records are published as JSON via CVE Services on cve.org, superseding the legacy text "CVE List".

The programme's fragility was exposed in April 2025, when MITRE warned its DHS contract would lapse on the 16th; CISA issued a last-minute 11-month extension, and by January 2026 the board reported no further "funding cliff." Security teams use CVE IDs to correlate scanner output, vendor patches, threat intelligence, and SBOM data into one remediation workflow.

flowchart LR
  R[Researcher or vendor finds flaw] --> C[CNA reserves CVE ID]
  C --> P[Public CVE record on cve.org]
  P --> N[NVD / CVSS enrichment]
  N --> E[EPSS score + CISA KEV check]
  E --> D[Defenders prioritise and patch]