Published 2026-04-25 · 9 min read

CVE, CVSS, CWE, CPE: a plain-English glossary of security acronyms

Every server-security article you read assumes you already know what a CVE is, what CVSS scores mean, and why people argue about EPSS. This post is the cheat sheet — every acronym you'll trip over, defined plainly, with a one-sentence "when does this actually matter" note.

The vulnerability lifecycle, in seven acronyms

A vulnerability gets an ID, a description, a score, and a place to look it up. Each step has a different acronym attached, maintained by a different organisation. Here's the rough flow: 

Researcher discovers bug
   → MITRE assigns a CVE ID (e.g. CVE-2024-6387)
   → CWE classifies the bug type
   → CVSS scores the severity
   → CPE identifies the affected product
   → NVD / OSV / GHSA publish the record
   → KEV flags it if exploited in the wild
   → EPSS predicts likelihood of exploitation

1. CVE — Common Vulnerabilities and Exposures

A unique ID for a publicly known security flaw, of the form CVE-YYYY-NNNNN. CVE IDs are assigned by CNAs (CVE Numbering Authorities) — typically the vendor whose product is affected, falling back to MITRE for orphan cases. The CVE itself is just an identifier and a short description; it does not contain a severity score.

When it matters: any time you read a security advisory. CVE IDs are how every other system in this list refers to the same vulnerability.

2. CVSS — Common Vulnerability Scoring System

A numerical severity score from 0.0 (none) to 10.0 (critical), maintained by FIRST.org. The score is computed from a vector string like CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Each metric describes one aspect: AV is the attack vector, AC the complexity, C/I/A the confidentiality/integrity/availability impact.

Buckets: 9.0–10.0 critical, 7.0–8.9 high, 4.0–6.9 medium, 0.1–3.9 low. CVSS 4.0 launched in 2023, but most tooling still emits CVSS 3.1.

When it matters: for triage. Critical and high findings on internet-facing services demand immediate attention. Lower scores can wait for the regular patching cycle.

3. CWE — Common Weakness Enumeration

A taxonomy of vulnerability types (not specific instances), also maintained by MITRE. Each entry has a CWE ID like CWE-79 (Cross-site Scripting), CWE-89 (SQL Injection), or CWE-787 (Out-of-bounds Write — CWE's #1 most-dangerous weakness three years running).

Every CVE links back to one or more CWEs. The CWE tells you what class of bug it is; the CVE tells you which specific bug.

When it matters: for pattern recognition. If your codebase ships a lot of CWE-89s, you have an SQL-injection problem, not just one bug.

4. CPE — Common Platform Enumeration

A standardised string identifying a product, vendor, and version. Looks like cpe:2.3:a:openssl:openssl:3.0.7:*:*:*:*:*:*:*. CPE is what makes "is my installed openssl version vulnerable to this CVE?" a programmable question — the CVE's affected-product list contains CPE strings, and your scanner has installed-version CPE strings, and both can be compared mechanically.

When it matters: any time a tool claims to "match CVEs to your fleet." That tool is comparing CPEs.

5. NVD — National Vulnerability Database

The US government's database of CVEs, run by NIST at nvd.nist.gov. NVD takes the raw CVE record from MITRE and adds the severity score (CVSS), affected products (CPEs), and references. It's the canonical "what does this CVE mean and what's affected" source for most tooling.

NVD has had a chronic enrichment backlog since early 2024 — many newer CVEs are unscored or unanalysed. The community has built alternatives (VulnCheck NVD++, OSV) that fill the gap.

When it matters: behind the scenes. Most scanners pull from NVD or an NVD-derived feed.

6. OSV — Open Source Vulnerabilities

Google-maintained vulnerability database at osv.dev, focused on open-source ecosystems. Where NVD speaks in CPEs, OSV speaks in package-manager identifiers — Debian source packages, npm module names, PyPI packages, Go modules. For Linux distributions in particular, OSV is more accurate because it includes distro-specific backport information NVD lacks.

When it matters: for accurate Debian/Ubuntu/Alpine CVE matching. Noxen uses OSV as its primary source for Debian and Ubuntu records exactly because of this.

7. GHSA — GitHub Security Advisory

GitHub's vulnerability database, focused on packages hosted on GitHub-adjacent ecosystems (npm, RubyGems, PyPI, Go, Maven, NuGet, composer, RubyGems, etc.). Each advisory has a GHSA ID like GHSA-jrjp-fxcg-2v6h and usually a corresponding CVE.

When it matters: for Dependabot alerts and any package-ecosystem scanner working off GitHub data.

8. KEV — Known Exploited Vulnerabilities

A US-CISA-maintained subset of CVEs that have been actively exploited in the wild. About 1% of all CVEs make the KEV catalog, but those are the ones that actually cause incidents. CISA mandates that US federal agencies patch KEV-listed CVEs on a fixed timeline.

When it matters: as a triage filter. A "high" CVSS score that's also in KEV is materially more urgent than the same score that isn't. If your scanner can highlight KEV-listed findings, sort by that.

9. EPSS — Exploit Prediction Scoring System

A FIRST.org-maintained probability (0.0 to 1.0) that a CVE will be exploited in the next 30 days, computed from observable indicators (public exploit code, references in attacker tooling, mentions in threat-intel feeds). Distinct from CVSS — CVSS is "how bad would it be"; EPSS is "how likely is it."

When it matters: when you have far more high-CVSS findings than you can patch and need to pick the most likely-to-bite.

10. MITRE — the organisation, not an acronym

A US not-for-profit research organisation that maintains the CVE program, the CWE program, the ATT&CK framework (a taxonomy of attacker techniques), and a long list of other adjacent standards. Confusingly, "MITRE" is sometimes used as shorthand for any of those programs depending on context.

11. OWASP — Open Worldwide Application Security Project

A non-profit that publishes the OWASP Top 10 (the most critical web-application risks, refreshed every few years), the OWASP ASVS (Application Security Verification Standard), and a catalogue of open-source security tools. OWASP focuses on application-layer issues rather than infrastructure CVEs.

When it matters: if you build web apps. The OWASP Top 10 is the canonical "what to test for" reference for AppSec.

12. SBOM — Software Bill of Materials

A machine-readable inventory of every component in a piece of software — direct dependencies, transitive dependencies, versions, licenses, hashes. The two dominant formats are SPDX (an ISO standard) and CycloneDX (OWASP's format).

When it matters: when responding to supply-chain incidents. After Log4Shell, every security team that had SBOMs could answer "do we ship Log4j?" in minutes; the rest spent weeks finding out.

13. CNA — CVE Numbering Authority

An organisation authorised by MITRE to assign CVE IDs within their scope. Apple, Microsoft, GitHub, Cloudflare, Red Hat, and most large software vendors are CNAs for their own products. When a researcher reports a bug to a vendor, the vendor (acting as a CNA) reserves a CVE ID, then publishes it once a fix is ready.

How they fit together: a worked example

Take CVE-2024-6387 (the regreSSHion bug, July 2024):

That's the whole vocabulary applied to one bug. Now you can read any security advisory without translating.

Noxen is a Mac-native homelab vulnerability scanner that pulls from NVD (via VulnCheck NVD++) and OSV — and reports findings against your installed package versions using CPE and OSV ecosystem matching. $79 one-time at launch.

Related reading