Skip to content
Latchkey

What Is a CVE? The Universal ID for a Known Vulnerability

A CVE (Common Vulnerabilities and Exposures) is a unique public identifier assigned to a specific known security vulnerability, so everyone can refer to it the same way.

Before CVEs, different vendors described the same flaw in different words, and coordinating a fix was chaos. A CVE gives each vulnerability one canonical ID, like CVE-2021-44228, that everyone, scanners, advisories, vendors, uses to mean the same thing. It is the shared vocabulary of vulnerability management.

Anatomy of a CVE ID

A CVE ID looks like CVE-YYYY-NNNNN: the prefix, the year it was assigned, and a sequence number. The ID itself is just a name; the details (affected versions, description, references) live in the associated record.

Who assigns them

The CVE program, with numbering authorities (CNAs) like major vendors and coordination bodies, assigns IDs. When a vulnerability is disclosed, it gets a CVE so tools and humans can track it consistently.

How CVEs power scanning

  • Vulnerability databases index findings by CVE ID.
  • Scanners match your components to affected-version ranges.
  • Advisories reference the CVE so you can read the details.
  • Severity scores (CVSS) attach to the CVE for prioritization.

What a CVE does not tell you

A CVE says a flaw exists; it does not say you are exploitable. A vulnerable library you never call in a risky way may pose little real risk. CVE plus context (reachability, exposure) is what actually drives prioritization.

CVEs in your pipeline

Dependency and container scanners report findings as CVE IDs with severities, so your CI gate can decide what to block. Keeping an SBOM means that when a new CVE drops, you can immediately tell whether any of your builds are affected.

Key takeaways

  • A CVE is a unique public ID for one known vulnerability.
  • It gives scanners, advisories, and vendors a shared reference.
  • A CVE flags existence, not exploitability; context drives real priority.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →