The Common Vulnerabilities and Exposures (CVE) system, originally Common Vulnerability Enumeration, provides a reference method for publicly known information-security vulnerabilities and exposures. The United States' Homeland Security Systems Engineering and Development Institute FFRDC, operated by The MITRE Corporation, maintains the system, with funding from the US National Cyber Security Division of the US Department of Homeland Security. The system was officially launched for the public in September 1999.

The Security Content Automation Protocol uses CVE, and CVE IDs are listed on MITRE's system as well as the basis for the US National Vulnerability Database.

MITRE Corporation's documentation defines CVE Identifiers (also called "CVE names", "CVE numbers", "CVE-IDs", and "CVEs") as unique, common identifiers for publicly known information-security vulnerabilities in publicly released software packages. Historically, CVE identifiers originally had a status of "candidate" ("CAN-") and could then be promoted to entries ("CVE-"), but this practice was ended in 2005 and all identifiers are now assigned as CVEs. The assignment of a CVE number is not a guarantee that it will become an official CVE entry (e.g., a CVE may be improperly assigned to an issue which is not a security vulnerability, or which duplicates an existing entry). If found not to meet criteria, MITRE or a CVE Numbering Authority (CNA) can summarily place the entry into REJECTED status.

CVEs are assigned by a CVE Numbering Authority (CNA). While some vendors acted as a CNA before, the name and designation was not created until 1 February 2005. There are four primary types of CVE number assignments:

When investigating a vulnerability or potential vulnerability it helps to acquire a CVE number early on. CVE numbers may not appear in the MITRE or NVD databases for some time (days, weeks, months or potentially years) due to issues that are embargoed (the CVE number has been assigned but the issue has not been made public), or historically in cases where the entry is not researched and written up by MITRE due to resource issues. The benefit of early CVE candidacy is that all future correspondence and coordination can refer to the CVE number to ensure all parties are referring to the same vulnerability. Information on getting CVE identifiers for issues with open source projects is available from Red Hat and GitHub.

CVEs are for software that has been publicly released; this can include betas and other pre-release versions if they are widely used. Commercial software is included in the "publicly released" category, but custom-built software that is not distributed would historically not be given a CVE. For the first two decades of the program, services (e.g., a Web-based email provider) are not assigned CVEs for vulnerabilities found in the service (e.g., an XSS vulnerability) unless the issue exists in an underlying software product that is publicly distributed. Official rules have not been published regarding this change but some CNAs including MITRE have begun assigning CVEs to service-based vulnerabilities as far back as 2000.

The CVE database contains several fields:

This is a standardized text description of the issue(s). One common entry is: