Common Vulnerabilities and Exposures (CVE) is a catalog of known security threats. The catalog is sponsored by the United States Department of Homeland Security (DHS), and threats are divided into two categories: vulnerabilities and exposures.
According to the CVE website, a vulnerability is a mistake in software code that provides an attacker with direct access to a system or network. For example, the vulnerability may allow an attacker to pose as a superuser or system administrator who has full access privileges. An exposure, on the other hand, is defined as a mistake in software code or configuration that provides an attacker with indirect access to a system or network. For example, an exposure may allow an attacker to secretly gather customer information that could be sold.
The catalog's main purpose is to standarize the way each known vulnerability or exposure is identified. This is important because standard IDs allow security administrators to quickly access technical information about a specific threat across multiple CVE-compatible information sources.
CVE is sponsored by US-CERT, the DHS Office of Cybersecurity and Information Assurance (OCSIA). MITRE, a not-for-profit organization that operates research and development centers sponsored by the U.S. federal government, maintains the CVE catalog and public Web site. It also manages the CVE Compatibility Program, which promotes the use of standard CVE identifiers by authorized CVE Numbering Authorities (CNAs).