What Is a CVE? Understanding Vulnerability IDs (2026)
June 9, 2001 · by Pentevo
If you follow security at all, you've seen IDs like CVE-2024-3094. A CVE (Common Vulnerabilities and Exposures) is a unique identifier for a specific, publicly known security flaw. It's the common language that lets everyone — vendors, defenders, tools — refer to the same vulnerability without confusion.
How the ID works
CVE-2024-3094 breaks down as:
- CVE — the prefix.
- 2024 — the year it was assigned.
- 3094 — a unique sequence number.
That's it. The ID itself carries no severity — it's just a name.
CVSS: how severe is it?
Severity comes from CVSS (Common Vulnerability Scoring System), a 0–10 score:
- 9.0–10.0 Critical
- 7.0–8.9 High
- 4.0–6.9 Medium
- 0.1–3.9 Low
CVSS reflects how bad it could be, considering things like attack complexity and impact.
EPSS and KEV: will it actually be exploited?
CVSS tells you severity, but not likelihood. Two newer signals help you prioritize:
- EPSS — the probability a CVE will be exploited in the wild.
- KEV (Known Exploited Vulnerabilities) — a list of CVEs that are already being exploited. If a CVE is on KEV, patch it now.
A "medium" CVSS that's on the KEV list can be far more urgent than a "critical" nobody is exploiting.
Why this matters
There are tens of thousands of new CVEs every year — you can't patch everything at once. Smart prioritization = severity (CVSS) × likelihood (EPSS/KEV) × exposure (is it internet-facing?). Most real-world breaches use known CVEs that simply weren't patched in time, not exotic zero-days.
Track the ones that matter
We maintain a live CVE tracker with the latest vulnerabilities, severity, and exploitation signals — a quick way to stay on top of what's emerging.
To understand how these flaws are found and verified, read What Is Penetration Testing? or start the free Pentevo Academy.
Related reading
Zero-Day Vulnerabilities Explained (2026)
What a zero-day vulnerability is, why it's so dangerous, how zero-day exploits are used, and what defenders can do about the unknown.
FundamentalsVPN Explained: What It Does (and Doesn't) — 2026
How a VPN actually works, what it protects you from, what it doesn't, and how to choose one — without the marketing hype.
FundamentalsWhat Is Penetration Testing? A Beginner's Guide (2026)
A plain-English guide to penetration testing: what it is, the five phases, the main types, and how it differs from a vulnerability scan.
FundamentalsWhat Is a Firewall? Types & How They Work (2026)
A clear explainer of firewalls — what they do, the main types (packet-filtering, stateful, NGFW, WAF), and how they fit into a layered defense.
Practice this hands-on
Pentevo Academy turns these concepts into guided lessons, videos and quizzes — free.
Start learning free