What is a CVE? Meaning, details & how to check if you're affected
A plain-English guide to Common Vulnerabilities and Exposures · 613 products tracked · 1046 CVEs actively exploited right now · all security terms → · updated June 2026
A CVE (Common Vulnerabilities and Exposures) is a unique public ID for one specific security vulnerability — for example CVE-2024-3094. It's the shared name the whole industry uses so that a vendor, a researcher and your security team are all talking about the same flaw. CVEs don't fix anything themselves; they make a vulnerability findable, trackable and patchable.
What does CVE stand for?
CVE stands for Common Vulnerabilities and Exposures. It is a catalogue of publicly disclosed security flaws, each given a standard identifier in the form CVE-YEAR-NUMBER (e.g. CVE-2021-44228, the Log4Shell vulnerability). The year is when the ID was reserved, and the number is a unique sequence.
CVE meaning, in plain English
Think of a CVE as a licence plate for a security bug. Two scanners, three vendors and your auditor might describe the same flaw in different words — but if they all cite CVE-2024-3094, there's no ambiguity about which problem they mean or whether it's been fixed. That single shared reference is the entire point of the CVE system.
CVE vs vulnerability — are they the same?
Almost, but not quite. A vulnerability is the actual weakness in the code. A CVE is the public record and identifier assigned to it. Every CVE points to a vulnerability, but the CVE is the label — the way we file, search and report the flaw. When people say "a CVE in security," they mean a known, catalogued vulnerability that defenders can act on.
Who assigns CVE numbers? (MITRE, CNAs & CISA)
The CVE Program is run by MITRE, a non-profit, and sponsored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). IDs are issued by MITRE and a global network of CVE Numbering Authorities (CNAs) — which include Microsoft, Red Hat, Google and hundreds of other vendors who can assign CVEs for their own products.
CVE, CVSS, KEV, EPSS — the jargon, decoded
- CVE — the identity of the vulnerability (what it is).
- NVD (National Vulnerability Database) — the U.S. database that enriches each CVE with severity and affected-version data.
- CVSS — a 0–10 severity score (how bad it is in theory). 9.0+ is Critical.
- CISA KEV — the Known Exploited Vulnerabilities catalogue: CVEs attackers are using right now. This is the list to fix first.
- EPSS — a probability (0–100%) that a CVE will be exploited in the near future.
A high CVSS score tells you a flaw is dangerous; KEV and EPSS tell you whether it's actually being used against people. IsItPatched combines all four into one verdict — see the methodology.
Where to find CVE details & browse a CVE list
The authoritative sources for open CVE data are the MITRE CVE List and the NVD. IsItPatched turns that raw data into plain-English pages and adds the one thing those databases don't: whether your specific version is affected. Browse our live data:
- Actively exploited CVEs — the 1046 flaws in CISA's KEV catalogue, sorted by what matters.
- All tracked products — 613 products with their current security posture.
- Check your version — paste a product + version, get an instant verdict.
Recently added to the exploited list
Live examples — open any CVE for its details, severity and which products it affects.
How to check if a CVE affects you
Knowing a CVE exists isn't the question — "does it affect the version I'm running?" is. That's exactly what IsItPatched answers. Paste your version (for example Apache 2.4.49 or nginx 1.24.0) and you'll see whether known CVEs apply, the minimum safe version to upgrade to, and whether anything is being actively exploited.
Frequently asked questions
What is a CVE?
A CVE (Common Vulnerabilities and Exposures) is a unique, public identifier for one specific security vulnerability in software or hardware — for example CVE-2024-3094. The CVE system gives everyone a shared name for the same flaw so vendors, researchers and defenders can track it without confusion.
What does CVE stand for?
CVE stands for Common Vulnerabilities and Exposures. It is a catalogue of publicly disclosed security flaws, each given a standard ID in the form CVE-YEAR-NUMBER.
What is the difference between a CVE and a vulnerability?
A vulnerability is the actual weakness in the software. A CVE is the public label assigned to that vulnerability so it can be referenced consistently. Every CVE describes a vulnerability, but it is the identifier and record, not the flaw itself.
What is a CVE in security?
In security, a CVE is how teams refer to a known flaw when patching, scanning, or reporting. Tools, advisories and audits all cite CVE IDs so that "is this fixed?" has one unambiguous answer across every vendor and product.
Who assigns CVE numbers?
The CVE Program is run by MITRE and sponsored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). MITRE and a network of CVE Numbering Authorities (CNAs) — including many software vendors — assign the IDs.
Where can I find CVE details?
Authoritative CVE details come from the MITRE CVE List and the U.S. National Vulnerability Database (NVD), which adds severity scores and affected-version data. IsItPatched aggregates these into plain-English pages and tells you whether your version is affected.
How do I check if a CVE affects my software?
Look up your product and version. IsItPatched lets you paste a version (e.g. "nginx 1.24.0") and instantly see whether known CVEs affect it, the minimum safe version, and whether any are being actively exploited.
CVE® and the CVE logo are registered trademarks of The MITRE Corporation. IsItPatched is an independent service and is not affiliated with or endorsed by MITRE, NIST/NVD or CISA. Always verify against your vendor's official advisories — see our disclaimer.