Anyone new to vulnerability management quickly hits an alphabet soup: CVE, NVD, CWE, CPE, CVSS, KEV, EPSS. They sound interchangeable but each does a specific job, and confusing them leads to real mistakes — like treating a weakness category as if it were a single vulnerability. This guide untangles the four foundational ones.
The four acronyms at a glance
| Acronym | Stands for | What it is | Run by |
|---|---|---|---|
| CVE | Common Vulnerabilities and Exposures | A unique ID for one specific vulnerability | CVE Program (MITRE + CNAs) |
| NVD | National Vulnerability Database | A database enriching CVE records with scores and metadata | NIST |
| CWE | Common Weakness Enumeration | A catalog of weakness types (root-cause categories) | MITRE community |
| CPE | Common Platform Enumeration | A naming scheme for affected products | NIST |
Think of it as a sentence: a CVE (specific flaw) is an instance of a CWE (weakness type), affects products named by CPE, and is scored and described in the NVD.
CVE: the unique identifier
A CVE is a unique label — CVE-2026-12345 — for one specific, publicly-disclosed vulnerability in one product. It is purely an identifier: it does not, by itself, carry a severity score or tell you whether the flaw is exploited. Its entire purpose is to give the world a shared, unambiguous name so that advisories, scanners, patches, and news all refer to the same thing.
We cover the format in detail in how to read a CVE identifier, and you can browse hundreds of explained examples in the CVE catalog.
NVD: the enriched database
The National Vulnerability Database (NVD), run by NIST, is not a competitor to CVE — it is built on top of the CVE list. The CVE Program supplies the identifiers and basic records; the NVD then enriches each one with:
- A CVSS severity score (the 0.0–10.0 rating).
- CWE mappings (the weakness type).
- CPE data (the exact affected products and versions).
- References and additional analysis.
So if you want to know “how severe is CVE-2026-12345 and what does it affect?”, the NVD is where that analysis lives. CVE gives the name; NVD gives the dossier.
CWE: the weakness type, not the instance
This is the distinction people most often get wrong. A CWE (Common Weakness Enumeration) describes a category of flaw, not a specific bug. Examples:
- CWE-79 — Cross-site Scripting (XSS)
- CWE-89 — SQL Injection
- CWE-787 — Out-of-bounds Write
- CWE-287 — Improper Authentication
A single CWE is the root cause behind thousands of different CVEs across many products. The relationship is one-to-many: one weakness type → many specific vulnerabilities.
| CWE | CVE | |
|---|---|---|
| Describes | A type of weakness | A specific vulnerability |
| Example | ”SQL injection” (CWE-89) | “SQL injection in Product X v2.1” |
| Count | Hundreds of categories | Hundreds of thousands of instances |
| Use | Understanding root causes, secure-coding | Tracking and patching a specific flaw |
Understanding CWE matters because fixing the category of weakness in your development process prevents whole families of future CVEs — it is prevention, where CVE tracking is response.
CPE: naming the affected product
CPE (Common Platform Enumeration) solves a deceptively hard problem: precisely naming the software a vulnerability affects. “Apache” is ambiguous — which product, which version? CPE provides a structured string identifying vendor, product, and version so that a scanner can match a vulnerability record to exactly the software you run. Without accurate CPE matching, vulnerability scanners produce false positives and false negatives. It is the unglamorous plumbing that makes automated vulnerability detection possible.
How they all fit together
Here is the full picture for a single vulnerability:
- A flaw is found and gets a CVE ID (the name).
- The NVD analyzes it and assigns a CVSS score (the severity).
- The record is tagged with a CWE (the root-cause weakness type).
- It lists CPE entries (the exact affected products).
- If it is confirmed to be exploited, it lands on the CISA KEV catalog (the “patch this now” signal).
- EPSS estimates how likely it is to be exploited soon.
Together these standards turn a chaotic problem — “there are bugs everywhere” — into a structured, machine-readable system you can actually act on. For how to use the severity and exploitation signals to decide what to fix first, see patch prioritization with KEV, EPSS and CVSS.
Common misconceptions
- “CVE and NVD are the same.” No — CVE assigns IDs; NVD (NIST) adds scoring and metadata on top.
- “A CWE is a specific bug.” No — it is a category; many CVEs share one CWE.
- “The NVD invents CVE numbers.” No — CNAs in the CVE Program assign IDs; the NVD ingests and enriches them.
Key takeaways
- CVE = the unique ID for one flaw.
- NVD = NIST’s enriched database that scores and describes each CVE.
- CWE = the type of weakness, the root-cause category.
- CPE = the standardized name for affected products.
Get them straight and the rest of vulnerability management becomes far less intimidating. Continue with how to read a CVE identifier, CVSS scores explained, or browse the live KEV timeline.