Glossary term
CVE
Also: Common Vulnerabilities and Exposures
Global identifier for publicly known security vulnerabilities in software and hardware. Format CVE-YYYY-NNNN, run by MITRE on behalf of CISA. More than 200,000 CVEs as of 2025.
Each CVE entry contains a short description, affected products and versions, references to patches and PoCs. CVEs are assigned by CVE Numbering Authorities (CNAs), including Microsoft, Cisco, Red Hat, GitHub.
Related: CVSS (Common Vulnerability Scoring System) gives a severity 0-10. CWE (Common Weakness Enumeration) classifies the vulnerability class. KEV (Known Exploited Vulnerabilities) by CISA lists actively exploited CVEs as mandatory patches.
Practice: a modern vulnerability management programme prioritises by KEV listing, EPSS score (Exploit Prediction Scoring System) and asset criticality, not blindly by CVSS.
Related terms
CVSS
Standardised scoring system for vulnerabilities with a 0-10 score. Current version CVSS v4.0 (2023).…
SBOM
Machine-readable inventory of all components in a software incl. versions, licences and dependencies…
Supply Chain Risk
Risks from the software and hardware supply chain: compromised open-source packages, build-pipeline …
CASB
Security layer between users and SaaS providing visibility (shadow IT discovery), data protection (D…
CNAPP
Gartner platform category that combines CSPM, CWPP, CIEM, KSPM, DSPM and IaC scanning into one tool.…
Compliance mapping
The explicit link between a decision (vendor, architecture, control) and the specific regulatory art…
Confidential Computing
Hardware-based isolation that keeps data encrypted during processing (data-in-use). Complements encr…
Critical ICT Third-Party Provider (CTPP)
ICT third-party provider designated critical by the European Commission under DORA Art. 31, falling …