What is CVE?

Definition

CVE — Common Vulnerabilities and Exposures — is a publicly maintained catalog of known cybersecurity vulnerabilities. Each entry in the catalog is assigned a unique identifier (CVE-YEAR-NUMBER, e.g. CVE-2021-44228 for Log4Shell) that provides a common reference point for discussing, tracking, and remediating a specific vulnerability across tools, vendors, and teams.

CVE was created in 1999 by MITRE Corporation with funding from the US Department of Homeland Security. Today, the CVE Program involves hundreds of CVE Numbering Authorities (CNAs) — organizations authorized to assign CVE IDs to vulnerabilities in their products or scope — and covers hundreds of thousands of known vulnerabilities.

The Structure of a CVE Entry

Each CVE entry contains:

• CVE ID — a unique identifier in the format CVE-YEAR-NUMBER
• Description — a standardized description of the vulnerability
• References — links to advisories, patches, proof-of-concept code, and vendor responses
• Status — reserved, published, rejected, or disputed
• CVSS score — a severity score assigned by NVD (the National Vulnerability Database) based on the CVE

A CVE entry deliberately does not include: fix instructions, exploit code (in the CVE itself), or product-specific remediation guidance. Those details appear in vendor advisories and the NVD.

How a CVE is Assigned

1. A researcher discovers a vulnerability and reports it to a CNA (the affected vendor, a coordinating CNA, or MITRE directly).
2. The CNA assigns a CVE ID, often under embargo until a patch is available.
3. The vulnerability is disclosed publicly, typically coordinated with the vendor's patch release.
4. The CVE entry is published in the CVE database.
5. NVD enriches the entry with CVSS score, CWE classification, and CPE affected product list.

CVE vs. NVD vs. CVSS

Why CVE Identifiers Matter

Without a common identifier, discussing and tracking vulnerabilities is ambiguous. Security tools, vendor patches, news articles, and vulnerability scanners all use CVE IDs as the reference. When a scanner reports CVE-2021-44228, every tool, team, and vendor knows exactly which vulnerability is being discussed — what it affects, what the severity is, and where to find patches.

CVE IDs are the lingua franca of vulnerability management. They enable:

• Scanner output to be linked to vendor advisories and patches
• SBOMs to be checked against known vulnerable versions
• Bug bounty and responsible disclosure workflows
• Regulatory reporting and audit trails
• Priority triage based on published CVSS scores

Limitations of CVE

The CVE program has known limitations:

• Coverage gaps — not all vulnerabilities receive CVE IDs, particularly in smaller or proprietary software
• Disclosure delay — some CVEs are published months or years after the underlying vulnerability was patched
• Description quality varies widely across CNAs
• The CVE backlog — NVD has historically struggled with the volume of new CVE entries requiring enrichment

CVE and Autonomous Code Governance

Hydra continuously monitors the CVE database and cross-references every dependency in a codebase against published CVE entries. When a new CVE is published affecting a dependency in use, Hydra generates an upgrade pull request — replacing the vulnerable version with the patched one — within hours of the CVE's NVD enrichment. This eliminates the lag between CVE publication and remediation that manual dependency management creates. For CVEs in the codebase's own code (not dependencies), Hydra's detection rules map to CWE classifications that cover the root causes of published CVEs.