What does the year in a CVE ID mean?

It is the year the CVE ID was reserved or assigned, not necessarily the year the vulnerability was discovered, disclosed, or fixed. A flaw found in late 2025 but assigned an ID in 2026 will carry CVE-2026.

Is a lower CVE number more or less severe?

Neither. The number is just a sequential counter and says nothing about severity. Severity comes from the CVSS score, and real-world risk from signals like the CISA KEV catalog and EPSS.

What is the difference between a CVE and a CWE?

A CVE identifies one specific vulnerability in one product. A CWE (Common Weakness Enumeration) describes a category of weakness, such as 'SQL injection' or 'buffer overflow,' that many different CVEs can share.

How to read a CVE identifier (CVE-YYYY-NNNNN explained)

Q: Who assigns CVE identifiers?

CVE IDs are assigned by CVE Numbering Authorities (CNAs) — organizations such as software vendors, security research firms, and CERTs authorized by the CVE Program (overseen by MITRE and CISA) to allocate IDs within their scope.

A CVE identifier is a unique, permanent label for a single publicly-disclosed software vulnerability. It looks like this:

CVE-2026-12345

Reading it is simple once you know what each piece does — and, just as importantly, what each piece does not tell you. You can see hundreds of real examples in our CVE explainer catalog.

What do the three parts of a CVE ID mean?

Part	Example	What it means
Prefix	`CVE`	Marks it as a Common Vulnerabilities and Exposures entry. Always present, always uppercase.
Year	`2026`	The year the ID was reserved or assigned — not necessarily when the flaw was found or fixed.
Sequence number	`12345`	A sequential counter for that year. Four digits minimum, but no maximum — it can be five, six, or more digits.

So CVE-2026-12345 reads as: the vulnerability assigned sequence number 12345 in the 2026 batch of the CVE program.

The year is the trickiest part

A common misconception is that the year tells you when a vulnerability was discovered or when it became dangerous. It does not. The year reflects when the CVE ID was allocated. A researcher might find a bug in December 2025, report it privately, and only receive an ID in early 2026 — giving it a CVE-2026 prefix. Some IDs are even reserved years before details are published.

The number is not a severity ranking

CVE-2026-00001 is not “worse” or “more important” than CVE-2026-99999. The number is just a counter. Severity is a separate measurement entirely — see our CVSS scores explained guide.

Who assigns CVE identifiers?

CVE IDs are allocated by CVE Numbering Authorities (CNAs). These are organizations — major software vendors, security vendors, bug-bounty platforms, national CERTs — authorized by the CVE Program (coordinated by MITRE with U.S. government sponsorship) to assign IDs within a defined scope.

For example, a large vendor is typically the CNA for vulnerabilities in its own products. This distributed model lets thousands of IDs be issued quickly without a single bottleneck. When no relevant CNA exists, a “CNA of last resort” can step in.

CVE vs. NVD vs. CWE: how they fit together

These three acronyms get conflated constantly. They are distinct:

Term	What it is	Example
CVE	A unique ID for one specific vulnerability in one product.	`CVE-2026-12345`
NVD	The U.S. National Vulnerability Database — enriches CVE records with CVSS scores, affected-product data, and references.	The page giving `CVE-2026-12345` a CVSS score of 9.8
CWE	Common Weakness Enumeration — a category of flaw that many CVEs share.	`CWE-89: SQL Injection`

In short: a CWE is the type of weakness, a CVE is a specific instance of it in a real product, and the NVD is where that CVE gets scored and described.

What a CVE ID does and does not tell you

A CVE ID, on its own, tells you:

That a specific, publicly-acknowledged vulnerability exists.
That it has a stable reference everyone can use to talk about the same flaw across tools, advisories, and patches.

It does not tell you:

How severe it is — that comes from the CVSS score.
Whether it is being exploited — that comes from the CISA KEV catalog and exploit-prediction data like EPSS.
Whether it affects you — that depends on whether the named product runs in your environment.

This separation is by design. The CVE ID is a naming system, not a risk-scoring system. Keeping identification separate from scoring lets multiple scoring systems (CVSS v3.1, v4.0, vendor-specific ratings) all reference the same neutral identifier.

Why consistent CVE identifiers matter

Before CVE existed, two scanners might describe the same flaw with different names, making it impossible to know if they meant the same thing. The CVE program created a shared vocabulary: when a vendor advisory, a scanner, a news article, and a patch note all cite CVE-2026-12345, you know they are talking about the same vulnerability. That interoperability is the entire point.

Key takeaways

Read a CVE ID as prefix + assignment year + sequence number, and remember the number means nothing about severity. To assess real risk, layer on the CVSS score, the KEV exploitation signal, and your own asset inventory.

Next, learn what CVSS scores actually mean, browse the CVE catalog, or read about the methodology behind our data.