PackageFix / Glossary / CVE — Common Vulnerabilities and Exposures

CVE — Common Vulnerabilities and Exposures

Industry standard
Definition

A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to a publicly known security vulnerability. When a security researcher discovers a vulnerability in a piece of software, they can request a CVE ID from MITRE. The ID (like CVE-2021-44228 for Log4Shell) becomes the universal reference for that vulnerability across all security tools, databases, and documentation.

What a CVE ID tells you

A CVE ID has a simple structure: CVE-[year]-[number]. The year is when the CVE was assigned (not necessarily when the vulnerability was discovered or fixed). The number is a sequential ID within that year.

CVE-2021-44228 is Log4Shell — discovered and assigned a CVE in December 2021. CVE-2022-22965 is Spring4Shell — 2022. The year in the ID is a rough indicator of when the vulnerability became publicly known.

CVE vs NVD vs OSV — what's the difference

These are related but separate things that confuse a lot of people:

Why some vulnerabilities don't have CVE IDs

Getting a CVE assigned takes time — sometimes weeks or months after a fix is released. Aikido's research found that 67% of open source vulnerability patches were released without ever receiving a CVE. This is a real blind spot: npm audit only checks CVE databases, so it misses the majority of patched vulnerabilities that were never formally disclosed.

Check your dependencies for CVEs, CISA KEV entries, and supply chain risks.

Open PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

Who assigns CVE IDs?
MITRE Corporation manages the CVE program under contract with CISA. Large organizations (like Microsoft, Google, Red Hat) are authorized CVE Numbering Authorities (CNAs) and can assign CVEs for vulnerabilities in their own products. For open source packages without a CNA, researchers submit to MITRE directly.
What's the difference between a CVE and a CVSS score?
A CVE is the identifier — the name. CVSS (Common Vulnerability Scoring System) is the severity score assigned to that CVE, from 0.0 to 10.0. Critical = 9.0-10.0, High = 7.0-8.9, Medium = 4.0-6.9, Low = 0.1-3.9. The CVE and its CVSS score are separate pieces of information.
Does PackageFix use CVE IDs?
Yes — every vulnerability PackageFix detects is linked to its CVE ID (when one exists) via osv.dev. For vulnerabilities without a CVE, PackageFix shows the OSV ID (GHSA-XXXX format from GitHub Advisory Database).
What is a zero-day CVE?
A zero-day vulnerability is one being exploited in the wild before it has a public fix or even a CVE assignment. The Log4Shell vulnerability was being actively exploited for days before the CVE was assigned and a patch released.

Related guides

CVSS Score

How vulnerabilities are rated

CISA KEV

CVEs being actively exploited

CISA KEV Package List

Exploited open source packages

CVE-2021-44228 (Log4Shell)

Most severe Java CVE ever