Safeguard
Security

CVE Vulnerability Database: How the CVE and NVD System Actually Works

What the CVE vulnerability database is, how MITRE and the NVD divide the work, what a CVE record contains, and how to use it without drowning in noise.

Safeguard Research Team
Research
6 min read

The CVE vulnerability database is not one thing but a system: CVE is a program run by MITRE that assigns unique identifiers to publicly disclosed security flaws, and databases like the NVD enrich those identifiers with severity scores and searchable metadata. People say "the CVE database" as if it were a single lookup table, but understanding the split between the identifier program and the databases that consume it is what lets you actually use this data for vulnerability management instead of drowning in it.

CVE: the identifier program

CVE stands for Common Vulnerabilities and Exposures. The program, operated by MITRE with U.S. government sponsorship, exists to give every publicly known vulnerability a single canonical name. Before CVE, two vendors might describe the same bug with different names and you had no way to know it was one issue. A CVE ID like CVE-2021-44228 (the Log4Shell identifier) solves that: everyone references the same string.

IDs are issued by CVE Numbering Authorities (CNAs). A CNA is an organization authorized to assign CVE IDs within its scope — major vendors like Microsoft, Red Hat, and Google are CNAs for their own products, and MITRE acts as a CNA of last resort for everything else. The format is CVE-YYYY-NNNN, where the year is when the ID was reserved (not necessarily when the flaw was disclosed) and the numeric portion is a sequence that can run to five or more digits.

A base CVE record is intentionally minimal: an ID, a short description, references, and the assigning CNA. It does not, by itself, tell you how bad the issue is or which exact package versions are affected in a machine-readable way. That enrichment is somebody else's job.

NVD: the enrichment layer

The National Vulnerability Database (NVD), run by the U.S. National Institute of Standards and Technology (NIST), is the best-known consumer of the CVE feed. When a CVE is published, the NVD ingests it and adds analysis: a CVSS severity score, affected-product data expressed as CPE (Common Platform Enumeration) strings, and weakness classification via CWE identifiers.

This is why people conflate CVE and NVD — you search "a vulnerability database cve" lookup and land on an NVD page, so the two feel like the same thing. They are not. MITRE assigns the identity; the NVD (and other databases) add the severity and matching data on top. If the NVD is backlogged on analysis, a CVE can exist with no CVSS score attached yet, which is a real operational gotcha when you rely on severity to prioritize.

What CVSS scores mean, and their limits

CVSS (Common Vulnerability Scoring System) produces a 0.0 to 10.0 base score, bucketed as Low, Medium, High, and Critical. The base score reflects intrinsic properties — attack vector, complexity, privileges required, and impact to confidentiality, integrity, and availability. It is genuinely useful for triage, but it has two well-known limitations.

First, the base score ignores your context: whether the vulnerable code is reachable in your deployment, whether the affected component is exposed to untrusted input, and whether a compensating control exists. A CVSS 9.8 in a library function you never call is lower real-world risk than a 6.5 on your login endpoint. Second, CVSS does not tell you whether the flaw is being exploited in the wild. For that, teams increasingly layer in CISA's Known Exploited Vulnerabilities (KEV) catalog and the EPSS exploit-prediction score.

Beyond the NVD: the wider ecosystem

The CVE feed also drives databases that are often faster or more developer-focused than the NVD. The GitHub Advisory Database curates advisories keyed to specific package ecosystems (npm, PyPI, Maven, and more), which makes it far easier to map a CVE to a package.json entry than raw CPE strings. The OSV (Open Source Vulnerabilities) project provides a standardized, machine-readable schema across ecosystems. Vendor advisories from Red Hat, Debian, and others add distribution-specific fix information.

The practical takeaway: do not treat any single database as the whole truth. The NVD is authoritative for CVSS and CPE, but for open-source dependency matching, ecosystem-specific databases usually give you cleaner version ranges and faster coverage. Verify any specific CVE claim against the primary source — check the NVD record directly rather than a secondhand summary, because affected-version ranges get misquoted constantly.

Using the CVE database in practice

Raw CVE lookups are fine for investigating a single named flaw. They fall apart as a vulnerability-management strategy because you cannot manually cross-reference thousands of dependencies against the feed every day. This is where software composition analysis comes in: an SCA tool such as Safeguard inventories your dependencies, matches them against CVE data across multiple databases, and filters by whether the vulnerable code is actually reachable — turning the firehose into a short, prioritized list.

A workflow that scales looks like this:

  1. Maintain an SBOM so you always know what components you run.
  2. Automatically match that inventory against CVE-derived databases (NVD plus ecosystem sources).
  3. Prioritize with more than CVSS alone — fold in exploit signals (KEV, EPSS) and reachability.
  4. Track remediation to closure rather than re-triaging the same findings each scan.

The CVE program gives the world a common vocabulary for vulnerabilities. Turning that vocabulary into fewer incidents is about the process you wrap around it.

FAQ

What is the difference between CVE and NVD?

CVE is the MITRE-run program that assigns a unique identifier and short description to each public vulnerability. The NVD is a NIST-run database that ingests those CVEs and adds enrichment such as CVSS severity scores, CWE weakness types, and affected-product (CPE) data.

Who assigns CVE IDs?

CVE Numbering Authorities (CNAs) assign them. Many vendors are CNAs for their own products, and MITRE acts as the CNA of last resort. IDs follow the format CVE-YYYY-NNNN, where the year is when the ID was reserved.

Is a CVSS score enough to prioritize a vulnerability?

No. The CVSS base score reflects intrinsic severity but ignores your context, including whether the vulnerable code is reachable and whether the flaw is actively exploited. Combine it with exploit data like CISA KEV and EPSS, plus reachability analysis.

Where can I look up a CVE besides the NVD?

The GitHub Advisory Database and the OSV project map CVEs to specific open-source package ecosystems with cleaner version ranges, and vendor advisories add distribution-specific fix details. Use ecosystem databases for dependency matching and the NVD for authoritative CVSS and CPE data.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.