TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Vulnerabilities

What Is a CVE? CVEs, CVSS and the KEV Catalog Explained

CVEs are the universal IDs for security vulnerabilities. Learn how CVE identifiers and CVSS scores work, how CVE differs from CWE, and how to prioritize what to patch.

7 min readUpdated

A CVE — short for Common Vulnerabilities and Exposures — is a unique, public identifier assigned to a specific cybersecurity vulnerability. When you read that "CVE-2026-12345 is being actively exploited," that code is a universal reference number that lets everyone — vendors, researchers, defenders and tools — talk about the same flaw without confusion. CVEs are the backbone of vulnerability management and a frequent subject in any threat intelligence feed.

This guide explains how CVE IDs work, how the CVSS severity score is calculated, how CVE differs from related terms like CWE, and — most importantly — how to prioritize which vulnerabilities to fix first.

The CVE system explained

The CVE program is run by the MITRE Corporation and sponsored by the U.S. government, with a global network of CVE Numbering Authorities (CNAs) — including major vendors — that assign IDs. The goal is one identifier per vulnerability, used everywhere.

A CVE ID looks like CVE-2026-12345:

  • CVE — the prefix.
  • 2026 — the year the ID was assigned (not necessarily when the bug was found).
  • 12345 — a sequential number (now four or more digits).

Each CVE entry includes a brief description, affected products, and references. Importantly, a CVE record identifies and describes a vulnerability — it doesn't, by itself, tell you how severe it is. That's where CVSS comes in.

CVSS: scoring vulnerability severity

The Common Vulnerability Scoring System (CVSS) assigns a severity score from 0.0 to 10.0 to a vulnerability, with qualitative ratings:

  • 0.0 — None
  • 0.1–3.9 — Low
  • 4.0–6.9 — Medium
  • 7.0–8.9 — High
  • 9.0–10.0 — Critical

The score is built from several metrics. The Base metrics capture the intrinsic characteristics of the flaw — how it's exploited (attack vector and complexity), whether privileges or user interaction are required, and the impact on confidentiality, integrity and availability. Optional Temporal and Environmental metrics adjust the score for real-world exploit maturity and your specific environment.

A "critical" CVSS 9.8 vulnerability that's remotely exploitable without authentication is the kind of flaw that demands urgent attention — particularly if it affects internet-facing systems.

CVE vs CVSS vs CWE: clearing up the confusion

These three acronyms are easy to mix up:

  • CVEidentifies a specific vulnerability (the "what" and "where"). CVE-2026-12345.
  • CVSSscores how severe that vulnerability is (the "how bad"). A number from 0–10.
  • CWE (Common Weakness Enumeration)classifies the underlying type of flaw (the "why"). For example, CWE-79 is cross-site scripting; CWE-89 is SQL injection. Many different CVEs can share the same CWE.

In short: a CWE is a category of weakness, a CVE is a specific instance of one in a real product, and CVSS tells you how dangerous that instance is.

The NVD and where CVE data lives

Once a CVE is published, the U.S. National Vulnerability Database (NVD) enriches it with CVSS scores, affected-product data and references. The NVD is the most common place defenders and tools look up CVE details. Vendor advisories and security tools then map their findings back to CVE IDs so you can correlate everything to one reference.

Why CVSS alone isn't enough: prioritizing what to patch

Tens of thousands of CVEs are published every year — far more than any team can patch immediately. CVSS helps, but a "critical" score doesn't mean a vulnerability is actually being exploited. Smart prioritization blends three questions:

  1. Is it being actively exploited? This is the single most important factor. CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilities with confirmed in-the-wild exploitation — patch these first, regardless of CVSS.
  2. How likely is exploitation? The EPSS (Exploit Prediction Scoring System) estimates the probability a CVE will be exploited, helping you triage the long tail.
  3. How exposed and critical is the affected asset? A critical CVE on an internet-facing system matters far more than the same flaw on an isolated internal one.

This is where threat intelligence becomes essential: knowing which CVEs adversaries are weaponizing right now lets you patch the few that matter before the many that don't. APTs and ransomware operators routinely exploit known, unpatched CVEs as their entry point.

The life of a vulnerability

A typical CVE moves through stages: a researcher discovers a flaw, discloses it (ideally to the vendor first), a CVE ID is assigned, the vendor patches it, and the details are published. The dangerous window is between public disclosure and patching — attackers often race to exploit newly disclosed CVEs before organizations can apply fixes. A zero-day is the extreme case: a vulnerability exploited before any patch exists.

Zero-days vs n-days: timing is everything

Not all vulnerabilities are equally dangerous, and timing is a big reason why. Two terms capture the difference:

  • A zero-day is a vulnerability that attackers are exploiting before the vendor has released a patch (the vendor has had "zero days" to fix it). Because there's no fix to apply, zero-days are prized by sophisticated actors and especially dangerous — defenders can only mitigate, not patch.
  • An n-day (or "known" vulnerability) is one for which a patch already exists. These sound safer, but they cause the majority of breaches, because organizations are slow to apply updates. Attackers reverse-engineer patches to build exploits and then scan the internet for systems that haven't yet updated.

This is why the window between public disclosure and patching is so critical, and why responsible (coordinated) disclosure matters: security researchers privately notify a vendor and give them time to release a fix before going public, shrinking the period when a vulnerability is exploitable but unpatched. For defenders, the lesson is blunt — most damage comes not from exotic zero-days but from known CVEs left unpatched. Fast, intelligence-led patching of actively exploited n-days is one of the highest-impact things a security team can do, which loops back to watching what's being exploited right now.

The bottom line

A CVE is the universal ID for a specific vulnerability; CVSS scores its severity; CWE classifies the underlying weakness; and the NVD ties it all together. But the real skill is prioritization — patching the vulnerabilities that are actively exploited and exposed, not just the ones with the highest scores. Staying ahead means knowing what's being exploited today. Our live threat intelligence feed continuously surfaces reporting on new and actively exploited CVEs from dozens of authoritative sources, ranked by priority and linked to the National Vulnerability Database so you can act fast.

Frequently asked questions

What is a CVE?

A CVE (Common Vulnerabilities and Exposures) is a unique public identifier assigned to a specific cybersecurity vulnerability, such as CVE-2026-12345. It lets vendors, researchers, defenders and tools refer to the same flaw consistently.

What is the difference between CVE and CVSS?

A CVE identifies a specific vulnerability — it's the reference number. CVSS (Common Vulnerability Scoring System) scores how severe that vulnerability is, on a scale from 0.0 to 10.0. One describes which flaw it is; the other describes how dangerous it is.

What does a CVSS score mean?

CVSS rates severity from 0.0 to 10.0: 0.1–3.9 is Low, 4.0–6.9 Medium, 7.0–8.9 High, and 9.0–10.0 Critical. The score is derived from factors like how the vulnerability is exploited and its impact on confidentiality, integrity and availability.

How should I prioritize which CVEs to patch?

Don't rely on CVSS alone. Patch actively exploited vulnerabilities first (CISA's KEV catalog confirms in-the-wild exploitation), use EPSS to estimate exploitation likelihood, and weigh how exposed and critical the affected asset is. Threat intelligence tells you which CVEs attackers are weaponizing now.

Related threat intel guides

FundamentalsWhat Is Threat Intelligence? A Complete GuideThreat ActorsWhat Is an Advanced Persistent Threat (APT)?DetectionIndicators of Compromise (IOCs): The Complete GuideDetectionWhat Is Threat Hunting? A Practical Guide