Safeguard
Vulnerability Management

CWE vs. CVE vs. CVSS: The Vocabulary Every AppSec Team Gets Wrong

One CWE weakness class can spawn thousands of CVEs, and a single CVE can now carry two different CVSS scores at once — most teams still use the terms interchangeably.

Safeguard Research Team
Research
Updated 7 min read

CWE-89, CVE-2004-0366, and a CVSS score are three different kinds of statements about three different things, and conflating them is one of the most common vocabulary failures in application security. CWE-89 is an abstract category — "SQL Injection" — maintained by MITRE as one of more than 900 entries in the Common Weakness Enumeration. CVE-2004-0366 is a specific, dated report of that weakness manifesting in a real product (the libpam-pgsql authentication library), one of over 300,000 identifiers issued through CVE.org since the program launched in 1999. And a CVSS score — say, 7.5 — is neither of those; it is FIRST.org's answer to "how bad is this particular instance," recalculated under a new methodology, CVSS v4.0, released in November 2023 and still running in parallel with the older v3.1 standard on NVD records as of 2026. Teams that use "CVE" to mean "bug category," or treat a CVSS number as a measure of business risk rather than technical severity, end up with triage queues that don't actually rank what matters. The weakness vs vulnerability distinction is the one most teams get backwards first: a weakness is the mistake pattern, a vulnerability is one confirmed, real-world occurrence of it. This piece walks through what each standard measures, who maintains it, and how the three chain together into the pipeline every SCA and SAST tool is quietly built on.

What is a CWE, exactly?

A CWE (Common Weakness Enumeration) is a category of flaw — a pattern of mistake that can occur in many different products, not a report about any single one. MITRE launched CWE in 2006 as a community-developed dictionary, and the current list runs into the 900s (release versions are tagged v4.x, with updates roughly twice a year) plus organizing "Views" like CWE-1000 (Research Concepts), which groups weaknesses by abstract relationships rather than by product type. CWE-89 (SQL Injection), CWE-79 (Cross-Site Scripting), and CWE-798 (Use of Hard-coded Credentials) are all CWE entries — none of them refers to a specific bug in a specific version of a specific product. Each year MITRE, working with community and CISA input, publishes the CWE Top 25 Most Dangerous Software Weaknesses, ranked by how frequently and severely each class has shown up in real CVE records over the prior two years. CWE is the taxonomy layer: it's what lets a security team say "block any finding classified as CWE-502 (deserialization of untrusted data)" as a durable policy, instead of re-deciding severity every time a new instance shows up.

What is a CVE, and how does it differ from a CWE?

A CVE (Common Vulnerabilities and Exposures) record is a specific, real-world instance of a weakness — tied to a named product, a version range, and usually a disclosure date — not the general category it belongs to. This is the cleanest way to state the weakness vs vulnerability split: CWE names the class of mistake, CVE names one confirmed case of it in the wild. Identifiers follow the CVE-YYYY-NNNNN format; CVE.org, run by MITRE and sponsored by CISA, delegates the actual assignment work to a distributed network of CVE Numbering Authorities (CNAs), which now include hundreds of vendors, researchers, and open-source foundations who can mint IDs for issues in their own software. Each CVE record is typically mapped back to one or more CWE IDs as its "root cause" classification: CVE-2004-0366, the libpam-pgsql SQL injection flaw, is tagged under CWE-89; a hard-coded default password disclosed in a specific IoT firmware build would be tagged under CWE-798. That mapping is the hinge between the two systems — a single CWE class can and does produce thousands of distinct CVEs across totally unrelated products, but each CVE belongs to a specific, identifiable codebase and version. NVD (NIST's National Vulnerability Database) is the party that actually enriches most CVE records after CVE.org assigns the ID — adding CPE product identifiers, CWE tags, and CVSS scores.

What does a CVSS score actually measure?

A CVSS (Common Vulnerability Scoring System) score measures the technical severity of one specific CVE on a 0.0–10.0 scale, using a standardized formula FIRST.org publishes and updates — it does not measure business risk, exploitation likelihood, or whether the vulnerable code path is even reachable in your deployment. The published severity bands are Low (0.1–3.9), Medium (4.0–6.9), High (7.0–8.9), and Critical (9.0–10.0). CVSS v4.0, released in November 2023, restructured the metric groups significantly compared to v3.1: it replaced the old "Temporal" group with a "Threat" group, split the old single "Scope" flag into separate Vulnerable System impact metrics (VC/VI/VA) and Subsequent System impact metrics (SC/SI/SA), and added a new Attack Requirements (AT) base metric to capture preconditions an attacker needs beyond simple access. Because the industry transition is gradual, NVD publishes both a v3.1 score and a v4.0 score on the same CVE record for much of the current catalog — meaning the same vulnerability can carry two numerically different severity ratings simultaneously, both technically correct under their respective standards.

Why does one CWE produce so many CVEs?

One CWE produces many CVEs because a weakness class describes a pattern of mistake that independent engineering teams keep making in unrelated codebases, not a single bug that gets reported once. CWE-89 (SQL Injection) alone underlies many thousands of individual CVE records spanning content management systems, network appliances, ERP software, and homegrown internal tools, because "concatenating untrusted input into a query string" is a mistake that recurs wherever developers write raw SQL without parameterization — it is a coding pattern, not a single point of failure. This is precisely why the CWE Top 25 is useful as a forward-looking prioritization tool even though it's built by analyzing historical CVE data: if CWE-89 and CWE-79 keep appearing at the top of the list year over year, a team can act on that at the pattern level — mandating parameterized queries and output encoding in code review and static analysis rules — rather than waiting to react to each new CVE one at a time as it's disclosed against a specific dependency.

How should an AppSec team actually use these three signals together?

An AppSec team should use these three signals as a chain, not as substitutes for each other: CWE tells you what kind of mistake it is, CVE tells you where it lives in your specific software, and CVSS tells you how severe that specific instance is in isolation — none of which, on its own, tells you whether to act on it right now. A finding tagged CVSS 9.8 (Critical) sitting in a CVE record classified under CWE-502 (unsafe deserialization) sounds urgent by the numbers alone, but if the affected function is never invoked on any code path your application actually executes, the real-world risk is close to zero — which is exactly why exploitability signals like CISA's Known Exploited Vulnerabilities (KEV) catalog and FIRST's own Exploit Prediction Scoring System (EPSS) exist as a fourth layer on top of CVSS, estimating the probability a given CVE gets exploited in the next 30 days rather than just how bad it would be if it did. Safeguard's vulnerability findings surface CVE ID, CVSS score, and EPSS score together on every result, sourced from NVD, GitHub Security Advisories, OSV, and CISA KEV, and pair that with reachability analysis so a Critical-CVSS finding only gets escalated as urgent when your own call graph shows it's actually invokable — turning a raw taxonomy lookup into a prioritized queue instead of a wall of unranked CVE numbers.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.