Glossary

#CVE#vulnerability#monitoring

What is a CVE — the shared 'jersey number' for vulnerabilities

CVE assigns each vulnerability a unique ID (e.g. CVE-2025-12345) so everyone names the same hole the same way. How to read it, how CVE / CVSS / KEV differ, and how indie developers realistically keep up with machine monitoring.

Published 2026-06-07 Updated 2026-06-07 3 min read

"CVE-2021-44228", "CVE-2017-5638" — the numbers that headline every big breach. Here's what they actually are, and how an indie developer can realistically keep up.

How to read the number

A CVE id has three parts. The number itself carries no severity meaning (that's a separate thing).

CVEshared prefix

–

2025year assigned

–

12345sequence

The CVE identifier. The sequence isn't fixed to four digits — it grows as needed.

Why it's needed

Vulnerabilities are found constantly. Without a shared name, "that hole you mean" and "this hole I fixed" might not be the same thing. A common ID lets news, patches, scanners, and databases all point at the exact same vulnerability. That's the starting point for any fix.

CVE vs CVSS vs KEV — don't conflate them

These three travel together but answer different questions. You use all three to prioritize.

Term	Answers	Example
CVE	Which vulnerability (the name)	`CVE-2021-44228` (Log4Shell)
CVSS	How severe (0–10)	10.0 (worst class)
KEV	Is it being exploited?	On the exploited list → top priority

A high CVSS isn't automatically top priority

The score is a "worst-case theoretical value". In practice, weigh KEV (is it being exploited right now) and whether you use the affected feature. A 10.0 you don't use has small impact; a mid-score under active exploitation is top priority.

From assignment to fix

A CVE isn't published the instant it's found — it goes through coordination.

Discovery & report

A researcher or vendor finds it and reports it to a numbering authority (CNA).

Reserved

A CVE id is reserved first; details stay private.

Published

Details are disclosed, usually alongside a patch — often "fix and disclosure together".

Exploited (KEV)

Once real attacks are observed it becomes top priority. Neglect here is how you get breached.

A realistic way to keep up

Tracking every CVE by hand is impossible, and the miss becomes the incident. → A public CVSS 10.0 overlooked for months

So let machines watch.

Common mistakes

Reading the news and judging "probably fine" by hand
Measuring risk from package.json text alone
"Update someday" with no deadline

Let machines watch

Dependabot (GitHub): auto-PRs for CVEs matching your dependencies
osv-scanner (Google): checks your lockfile in CI, one step
Judge by the version actually running (not the floor)

The key is to judge by the version actually running — the package.json floor lies (this misjudgment also fed an RCE incident).

FAQ

QHow do I read a CVE number?

It's 'CVE-year-sequence'. For example CVE-2025-12345 was assigned in 2025. The number itself carries no severity — severity is expressed separately by CVSS. The sequence is not fixed at four digits; it grows as needed.

QWhat's the difference between CVE, CVSS and KEV?

CVE is the name (which vulnerability), CVSS is the 0–10 severity score (how bad), and KEV is a list of vulnerabilities observed being exploited in the wild. For prioritization, weigh KEV (being attacked now) as heavily as a high CVSS.

QIsn't tracking every CVE impossible for one developer?

By hand, yes — and the misses become incidents. So let machines watch: Dependabot (GitHub) or osv-scanner auto-notifies you of CVEs that match your dependencies.