CVE stands for Common Vulnerabilities and Exposures: a system that gives each publicly known security flaw a single, standardized identifier so that vendors, researchers, and defenders can all refer to the same vulnerability without confusion. According to the U.S. National Vulnerability Database (NVD), maintained by NIST, CVEs are “standardized identifiers for known security flaws” that the database catalogs.
A CVE identifier is the shared name for a vulnerability; the NVD then enriches each entry with descriptions, affected product information, and severity data. NIST describes the NVD as “the U.S. government repository of standards based vulnerability management data,” tying together the identifiers, scoring, and product identifiers into a single authoritative resource.
Severity is expressed using the Common Vulnerability Scoring System (CVSS), maintained by FIRST (the Forum of Incident Response and Security Teams). FIRST states that CVSS “provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity,” which is then mapped to qualitative ratings such as low, medium, high, and critical. CVSS is currently at version 4.0, and the NVD hosts calculators for multiple CVSS versions.
Together these pieces form an interlocking workflow: a CVE identifier names the vulnerability, a CVSS score quantifies how serious it is, and the NVD serves as the repository that connects identifiers, scores, and impact data. This shared vocabulary lets organizations prioritize patching and communicate about risk in a consistent, machine-readable way across the whole industry.