security
CVE
A standardised identifier for a publicly disclosed cybersecurity vulnerability.
Also known as
Common Vulnerabilities and Exposures
CVE (Common Vulnerabilities and Exposures) is a dictionary of publicly known information-security vulnerabilities and exposures. Each entry receives a unique identifier in the format CVE-YEAR-NNNNN (e.g. CVE-2024-3094).
CVEs are assigned by CVE Numbering Authorities (CNAs) — organisations authorised by the CVE Program to identify and assign CVE IDs. MITRE Corporation maintains the overall program.
Once published, CVE entries are enriched by the National Vulnerability Database (NVD) with CVSS scores, CWE mappings, and affected version data.
Why CVEs matter
- Provides a common language for discussing vulnerabilities across vendors and tools.
- Enables automated vulnerability scanning (Trivy, Snyk, etc.) to cross-reference findings.
- Powers patch management workflows: a CVE without a patch is a known exploit risk.
Example
CVE-2024-3094 — Critical backdoor in XZ Utils 5.6.0/5.6.1 (CVSS 10.0)Affected: Linux distributions shipping liblzma with the compromised tarball.See also
CVSS NVD CISA KEV