CVE
Common Vulnerabilities and Exposures
What is a CVE?
A CVE (Common Vulnerabilities and Exposures) entry is a unique, public identifier assigned to a specific security vulnerability in a specific piece of software. The system is maintained by MITRE with identifiers issued through CVE Numbering Authorities, and each entry follows the format CVE-YEAR-NUMBER, for example CVE-2021-44228 (the Log4Shell vulnerability in Log4j). A CVE is a name, not a rating: it says “this exact flaw exists in these versions” so that scanners, vendors, and security teams can all refer unambiguously to the same problem. Severity is layered on separately, most commonly as a CVSS score from 0 to 10, and details live in databases such as the NVD (National Vulnerability Database).
How it shows up in real code
For most teams, CVEs arrive through dependency scanners. Tools like npm audit, Dependabot, Trivy, or Snyk compare a project’s dependency tree against CVE databases and report matches:
lodash 4.17.15: CVE-2020-8203, prototype pollution, high severity. Fixed in 4.17.19.The vulnerable code is usually not code you wrote. It is code you inherited through a framework, a transitive dependency five levels deep, or a base container image, which is why a project can accumulate dozens of open CVEs without anyone making a single mistake.
Why it matters in a code audit
A raw CVE count is a poor metric, and an audit’s job is to turn the list into decisions. Two questions matter for each finding: is the vulnerable code path actually reachable in this application, and how bad is exploitation if it is? A critical CVE in a library function the app never calls can rank below a medium one sitting directly on the login path. Auditors also read the process signal: many old, unpatched CVEs usually mean there is no upgrade routine at all, which is a heavier finding than any individual entry. Named CVEs give known flaws a label, but the same vulnerability classes, like SQL injection and XSS, appear unnamed in first-party code, and the top vulnerabilities code audits catch covers both sides.
A free code audit will tell you which of your open CVEs are actually urgent and which are noise.
Free · no strings shown later
Get your free code audit
A repo URL and two minutes of your time. A Webisoft engineer sends back written findings (security, tech debt, performance) with file-and-line specifics.
Request my free audit