Common Vulnerabilities and Exposures


The Common Vulnerabilities and Exposures system, originally Common Vulnerability Enumeration, provides a reference method for publicly known information-security vulnerabilities and exposures. The United States' Homeland Security Systems Engineering and Development Institute FFRDC, operated by The MITRE Corporation, maintains the system, with funding from the US National Cyber Security Division of the US Department of Homeland Security. The system was officially launched for the public in September 1999.
The Security Content Automation Protocol uses CVE, and CVE IDs are listed on MITRE's system as well as the basis for the US National Vulnerability Database.

CVE identifiers

MITRE Corporation's documentation defines CVE Identifiers as unique, common identifiers for publicly known information-security vulnerabilities in publicly released software packages. Historically, CVE identifiers originally had a status of "candidate" and could then be promoted to entries, but this practice was ended in 2005 and all identifiers are now assigned as CVEs. The assignment of a CVE number is not a guarantee that it will become an official CVE entry. If found not to meet criteria, MITRE or a CVE Numbering Authority can summarily place the entry into REJECTED status.
CVEs are assigned by a CVE Numbering Authority. While some vendors acted as a CNA before, the name and designation was not created until 1 February 2005. There are four primary types of CVE number assignments:
  1. The MITRE Corporation functions as Editor and Primary CNA
  2. Various CNAs assign CVE numbers for their own products
  3. A third-party coordinator such as CERT Coordination Center may assign CVE numbers for products not covered by other CNAs
  4. Researchers, in one case, have been granted the CNA role.
When investigating a vulnerability or potential vulnerability it helps to acquire a CVE number early on. CVE numbers may not appear in the MITRE or NVD databases for some time due to issues that are embargoed, or historically in cases where the entry is not researched and written up by MITRE due to resource issues. The benefit of early CVE candidacy is that all future correspondence and coordination can refer to the CVE number to ensure all parties are referring to the same vulnerability. Information on getting CVE identifiers for issues with open source projects is available from Red Hat and GitHub.
CVEs are for software that has been publicly released; this can include betas and other pre-release versions if they are widely used. Commercial software is included in the "publicly released" category, but custom-built software that is not distributed would historically not be given a CVE. For the first two decades of the program, services are not assigned CVEs for vulnerabilities found in the service unless the issue exists in an underlying software product that is publicly distributed. Official rules have not been published regarding this change but some CNAs including MITRE have begun assigning CVEs to service-based vulnerabilities as far back as 2000.

CVE data fields

The CVE database contains several fields:

Description

This is a standardized text description of the issue. One common entry is:
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

This means that the entry number has been reserved by Mitre for an issue or a CNA has reserved the number. So when a CNA requests a block of CVE numbers in advance, the CVE number will be marked as reserved even though the CVE itself may not be assigned by the CNA for some time. Until the CVE is assigned, Mitre is made aware of it, and Mitre has researched the issue and written a description of it, entries will show up as "** RESERVED **".

Record Creation Date

This is the date the entry was created. For CVEs assigned directly by Mitre, this is the date Mitre created the CVE entry. For CVEs assigned by CNAs this is also the date that was created by Mitre, not by the CNA. When a CNA requests a block of CVE numbers in advance the entry date that CVE is assigned to the CNA.

Obsolete fields

The following fields were previously used in CVE records, but are no longer used.
  • Phase: The phase the CVE is in.
  • Votes: Previously board members would vote yea or nay on whether or not the CAN should be accepted and turned into a CVE.
  • Comments: Comments on the issue.
  • Proposed: When the issue was first proposed.

    Changes to syntax

In order to support CVE IDs beyond CVE-YEAR-9999 a change was made to the CVE syntax in 2014 and took effect on 13 January 2015.
The new CVE-ID syntax is variable length and includes:
CVE prefix + Year + Arbitrary Digits
The variable-length arbitrary digits begin at four fixed digits and expand with arbitrary digits only when needed in a calendar year; for example, CVE-YYYY-NNNN and if needed CVE-YYYY-NNNNN, CVE-YYYY-NNNNNN, and so on. The schema is compatible with previously assigned CVE-IDs, which all include a minimum of four digits.

Search CVE identifiers

The Mitre CVE database can be searched at the , and the NVD CVE database can be searched at .

CVE usage

CVE identifiers are intended for use with respect to identifying vulnerabilities:

Common Vulnerabilities and Exposures is a dictionary of common names for publicly known information security vulnerabilities. CVE's common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization's security tools. If a report from one of your security tools incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.

Users who have been assigned a CVE identifier for a vulnerability are encouraged to ensure that they place the identifier in any related security reports, web pages, emails, and so on.

CVE assignment issues

Per section 7 of the CNA Rules, a vendor which received a report about a security vulnerability has full discretion in regards to it. This can lead to a conflict of interest as a vendor may attempt to leave flaws unpatched by denying a CVE assignment at first place – a decision which Mitre can't reverse. The "!CVE" project, announced in 2023, aims to collect vulnerabilities that are denied by vendors, so long as they are considered valid by a panel of experts from the project.
CVE identifiers have been awarded for bogus issues and issues without security consequences. In response, a number of open-source projects have themselves applied to become the CVE Numbering Authority of their own project.

2025 funding issues

On 15 April 2025, it was reported that the contract between MITRE and the US government, set to expire the day after, would be allowed to expire. Reports stated that the expiration of the contract would bring an end to the operational arm of the CVE program, including assigning new CVEs, while the database would remain accessible via GitHub.
Just prior to its expiration, the contract was extended for 11 months, averting the shutdown of the program. The contract is now set to expire on 16 March 2026.