CVE 101: Demystifying the Three-Letter Acronym

A CVE (Common Vulnerabilities and Exposures) is a globally unique ID for one vulnerability, formatted as CVE, the year, and a unique number (CVE-2025-12345). Every vendor, scanner, and ticket references the same issue.

CVSS (Common Vulnerability Scoring System) is a zero-to-10 technical severity score built from attack vector, attack complexity, privileges required, user interaction, scope, and impact.

A CNA (CVE Numbering Authority) is a trusted vendor, research group, or coordinator approved to assign CVE IDs and coordinate disclosure within its scope.

CVSS measures technical severity, not business risk. A 9.8 on an isolated test box can be less urgent than a 7.5 on a public-facing app tied to revenue.

Primary lookup sources are the MITRE CVE list, the National Vulnerability Database (NVD) for CVSS scores and metadata, vendor advisories for the fastest path to patches, and the CISA Known Exploited Vulnerabilities catalog for what's actively exploited.