CVE (Common Vulnerabilities and Exposures) is a standardized identification system for publicly known vulnerabilities in software and hardware. Each vulnerability receives a unique identifier in the format CVE-YYYY-NNNNN (e.g., CVE-2024-3094 for the XZ Utils backdoor).
In an ISMS, CVE is the common language for vulnerability management under ISO 27001 Annex A control A.8.8 (Management of Technical Vulnerabilities). CVE identifiers enable unambiguous mapping between vulnerability scanners, advisories, patches, and internal tracking. The CVE database is maintained by the MITRE Corporation and populated by CVE Numbering Authorities (CNAs). Combined with CVSS scores (severity) and CPE (affected products), CVE forms the foundation for prioritized patching.